Description
Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query string. As a result, requests for the same path with different query parameters can share a cache key and receive the wrong cached response. This can cause response mix-up for query-dependent endpoints and may expose data intended for a different request. This issue is fixed after version 3.1.0.
Published: 2026-05-05
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Fiber, a Go web framework, implements a cache middleware whose default key generator uses only the request path. As a result, requests to the same URL path but with different query parameters can share a cache key and return an incorrect cached response. This flaw risks exposing data intended for a different request, which is a form of data leakage. The weakness is identified as CWE‑436 (Incomplete Handling of Request Input Parameters).

Affected Systems

Go Fiber v3, specifically versions 3.0 through 3.1.0, are affected. The vulnerability is fixed in releases after 3.1.0; users running any version of Fiber within that range must upgrade to a patched version to avoid the cache mix‑up.

Risk and Exploitability

The CVSS score is 6.5, indicating medium severity. There is no EPSS score available, so the likelihood of exploitation cannot be quantified from public data. The vulnerability is not listed in the CISA KEV catalog. The attack vector requires normal HTTP requests to the affected endpoint; an attacker can craft queries to trigger a cache hit on a previously generated response for a different set of query parameters, potentially causing unauthorized data disclosure.

Generated by OpenCVE AI on May 5, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Fiber v3.1.1 or later to apply the vendor fix.
  • Confirm that the application is using the updated cache middleware, not the legacy implementation.
  • If an upgrade cannot be performed immediately, disable caching for endpoints that depend on query parameters or modify the cache key generation to include the query string as a mitigating workaround.

Generated by OpenCVE AI on May 5, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-35hp-hqmv-8qg8 Fiber's cache middleware default key generator ignores query string, causing response mix-up across distinct query parameters
History

Tue, 05 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 05 May 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Gofiber
Gofiber fiber
Vendors & Products Gofiber
Gofiber fiber

Tue, 05 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query string. As a result, requests for the same path with different query parameters can share a cache key and receive the wrong cached response. This can cause response mix-up for query-dependent endpoints and may expose data intended for a different request. This issue is fixed after version 3.1.0.
Title github.com/gofiber/fiber/v3 cache middleware can mix responses across query parameters
Weaknesses CWE-436
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Gofiber Fiber
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T15:04:02.984Z

Reserved: 2026-03-04T17:23:59.799Z

Link: CVE-2026-30246

cve-icon Vulnrichment

Updated: 2026-05-05T15:03:46.350Z

cve-icon NVD

Status : Received

Published: 2026-05-05T13:16:28.820

Modified: 2026-05-05T16:16:11.090

Link: CVE-2026-30246

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T13:30:25Z

Weaknesses