CriticalPublic exploit

Authentication Bypass in @fastify/express Middleware Path Inheritance

IdentifiersCVE-2026-33807CWE-436· Interpretation Conflict

CVE-2026-33807 is a path handling vulnerability in @fastify/express affecting version 4.0.4 and earlier. In the plugin registration logic, specifically the onRegister path inheritance behavior, middleware paths inherited by child plugins can be prefixed twice. When a child plugin is registered with a prefix that matches or overlaps a middleware path defined in a parent scope, the middleware path is incorrectly doubled, causing it to no longer match incoming requests. As a result, Express middleware registered through @fastify/express may silently never execute for routes within affected child plugin scopes. The issue can bypass middleware-enforced security controls such as authentication, authorization, and rate limiting.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation results in complete bypass of Express middleware security controls for routes defined within affected child plugin scopes. If authentication or authorization is implemented through affected middleware, attackers may access protected endpoints without being challenged or validated. If rate limiting or other request filtering is implemented through the skipped middleware, those protections are also lost. The failure is silent because requests continue to be processed normally while the middleware never matches.

Mitigation

If you can’t patch tonight, do this now.

No specific workaround is provided in the supplied content. If immediate upgrade is not possible, the only partial risk reduction would be to avoid relying on inherited Express middleware for security controls in child plugin scopes where prefixes overlap, and instead validate protection coverage explicitly at each route scope. However, the provided content only confirms upgrading as the supported fix.

Remediation

Patch, then assume compromise.

Upgrade @fastify/express to version 4.0.5 or later, which fixes the middleware path handling bug in inherited child plugin scopes.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

FastifyExpressapplication

FastifyFastify/Expressapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

zeropath blogNews

Apr 16, 2026

Brief Summary: CVE-2026-6270 - @fastify/middie Authentication Bypass via Child Plugin Scope Inheritance Failure - ZeroPath Blog | ZeroPath

A middleware authentication bypass vulnerability in @fastify/express caused by middleware path doubling in child plugin scopes.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-33807

NVD

nvd.nist.gov/vuln/detail/CVE-2026-33807

MITRE CWE · CWE-436

Interpretation Conflict

Vendor Advisory

cna.openjsf.org/security-advisories.html

Vendor Advisory

github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c