Description
Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.11.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, when experimental.componentIslands is enabled (default in Nuxt 4), any .server.vue file under pages/ is automatically registered as a server island under the key page_<routeName> and exposed via the /__nuxt_island/:name endpoint. Until this fix, requests through that endpoint rendered the page component directly via the SSR renderer without instantiating Vue Router, which meant route middleware declared on the page (including definePageMeta({ middleware })) did not run. This issue has been patched in versions 3.21.6 and 4.4.6.
Published: 2026-06-12
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to issue requests to the /__nuxt_island/<name> endpoint for .server.vue pages that bypass the page’s defined middleware. Because the SSR renderer serves the component without initializing Vue Router, any authentication, logging, or pre‑processing middleware declared via definePageMeta({ middleware }) is skipped. This can let an attacker lift access controls or execute code paths that were intended to be protected, thereby compromising confidentiality and integrity of the application state.

Affected Systems

Nuxt version 3.11.0 up to and excluding 3.21.6 and Nuxt 4.0.0‑alpha.1 up to and excluding 4.4.6, as well as @nuxt/nitro‑server versions 3.20.0 up to and excluding 3.21.6 and 4.0.0‑alpha.1 up to and excluding 4.4.6. These releases expose server‑island endpoints that do not enforce route middleware.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity. The EPSS score is below 1%, suggesting the likelihood of exploitation is low at this time, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a remote network request to the /__nuxt_island endpoint, which means an attacker only needs internet access or access to the application front‑end to exploit it. The impact is confined to routes with problematic middleware; however, if such routes implement authentication checks, the resulting bypass could expose sensitive application paths or data. The patch resolves the issue by reintegrating the middleware checks during SSR rendering. Until patched, mitigation should focus on limiting access to the exposed endpoint or disabling the experimental componentIslands feature.

Generated by OpenCVE AI on June 12, 2026 at 14:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nuxt to version 3.21.6 or later, or 4.4.6 or later, and update @nuxt/nitro-server to a corresponding patched release.
  • Disable experimental.componentIslands if it is not required for your application to avoid exposing server‑island endpoints.
  • Restrict network or application access to the /__nuxt_island endpoint so that only trusted clients can reach it.

Generated by OpenCVE AI on June 12, 2026 at 14:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hg3f-28rg-4jxj Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`
History

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Nuxt
Nuxt nuxt
Vendors & Products Nuxt
Nuxt nuxt

Fri, 12 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.11.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, when experimental.componentIslands is enabled (default in Nuxt 4), any .server.vue file under pages/ is automatically registered as a server island under the key page_<routeName> and exposed via the /__nuxt_island/:name endpoint. Until this fix, requests through that endpoint rendered the page component directly via the SSR renderer without instantiating Vue Router, which meant route middleware declared on the page (including definePageMeta({ middleware })) did not run. This issue has been patched in versions 3.21.6 and 4.4.6.
Title Nuxt: Route middleware not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`
Weaknesses CWE-284
CWE-288
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nuxt Nuxt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T12:58:00.708Z

Reserved: 2026-05-18T22:07:37.436Z

Link: CVE-2026-47200

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-12T14:16:32.137

Modified: 2026-06-12T16:01:25.477

Link: CVE-2026-47200

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T15:30:31Z

Weaknesses
  • CWE-284

    Improper Access Control

  • CWE-288

    Authentication Bypass Using an Alternate Path or Channel