CVE-2026-33807 - Vulnerability Details

- @fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes

Description

@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time, causing it to never match incoming requests. This results in complete bypass of Express middleware security controls, including authentication, authorization, and rate limiting, for all routes defined within affected child plugin scopes. No special configuration or request crafting is required.

Upgrade to @fastify/express v4.0.5 or later.

Published: 2026-04-15

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The bug in @fastify/express causes middleware paths to be doubled when inherited by child plugins. Because the duplicated prefix prevents the middleware from matching incoming requests, all Express security controls—authentication, authorization, and rate limiting—are completely bypassed for routes defined within affected child plugin scopes. This results in an attacker being able to access protected routes without any credentials or restrictions.

Affected Systems

Any installation of @fastify/express version 4.0.4 or earlier that registers child plugins with prefixes is vulnerable. The affected vendor is fastify, and the product is the @fastify/express package. No other versions were listed as affected.

Risk and Exploitability

The CVSS score is 9.1, indicating a critical level of severity. The EPSS score is not available, so exploitation probability is unknown, but the vulnerability can be exploited remotely by simply accessing the application; no special configuration or request crafting is required. The attack vector is inferred to be remote network access. The vulnerability is not listed in the CISA KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

fastify

@fastify/express

unaffected

Version	Status	Constraints
`0`	affected	< 4.0.5
`4.0.5`	unaffected	—

No data.

Vendor Product Confidence Versions

Fastify

Fastify-express

100%

Version	Status	Scheme	Platform
`[0,4.0.5)`	affected	generic	—
`4.0.5`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the @fastify/express package to version 4.0.5 or later.
Review all child plugin registrations and modify any prefixes that match existing middleware paths to prevent double prefixing.
Test that Express middleware security controls are operational in child plugin routes before deploying changes to production.

Generated by OpenCVE AI on April 15, 2026 at 11:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00052.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://cna.openjsf.org/security-advisories.html
https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c

History

Wed, 15 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Fastify Fastify fastify-express
Vendors & Products		Fastify Fastify fastify-express

Wed, 15 Apr 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 15 Apr 2026 10:00:00 +0000

Type	Values Removed	Values Added
Description		@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time, causing it to never match incoming requests. This results in complete bypass of Express middleware security controls, including authentication, authorization, and rate limiting, for all routes defined within affected child plugin scopes. No special configuration or request crafting is required. Upgrade to @fastify/express v4.0.5 or later.
Title		@fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes
Weaknesses		CWE-436
References		https://cna.openjsf.org/security-advisories.html https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Fastify Fastify-express

MITRE

Status: PUBLISHED

Assigner: openjs

Published: 2026-04-15T09:52:26.838Z

Updated: 2026-04-15T13:09:45.259Z

Reserved: 2026-03-23T19:48:48.715Z

Link: CVE-2026-33807

Vulnrichment

Updated: 2026-04-15T13:09:33.633Z

NVD

Status : Received

Published: 2026-04-15T10:16:48.310

Modified: 2026-04-15T14:16:15.647

Link: CVE-2026-33807

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T14:53:04Z

Weaknesses

CWE-436

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object