Description
@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This allows unauthenticated requests to reach routes defined in child plugin scopes, bypassing authentication and authorization checks. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds.
Published: 2026-04-16
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in the @fastify/middie package allows an attacker to bypass authentication and authorization mechanisms. When an application registers authentication middleware in a parent scope, any child plugins that use @fastify/middie fail to inherit that middleware. As a result, routes defined within child plugin scopes can be accessed without authentication, leading to unauthorized data exposure or manipulation. The weakness is a failure to enforce correct policy, identified as CWE-436.

Affected Systems

The affected product is @fastify/middie. All versions 9.3.1 and earlier are impacted. The package name is @fastify/middie and the issue is triggered when authentication middleware is registered in a parent Fastify scope and then child plugins are added using @fastify/middie.

Risk and Exploitability

The CVSS base score for the vulnerability is 9.1, indicating a high severity with potential for full exploitation. The EPSS score is not available, so the precise likelihood of exploitation cannot be quantified; however, the lack of authentication for child plugin routes implies that a remote attacker who can send web requests to the application can easily leverage this flaw to gain unauthenticated access. This vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, but the high severity and straightforward exploit path increase overall risk for exposed services.

Generated by OpenCVE AI on April 17, 2026 at 02:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official fix by upgrading @fastify/middie to version 9.3.2 or newer.
  • Validate that the authentication middleware is applied directly to any child plugin scopes that cannot be updated, ensuring that child routes remain protected.
  • Periodically audit plugin usage to confirm that all child plugins are correctly configured with authentication protections.

Generated by OpenCVE AI on April 17, 2026 at 02:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-72c6-fx6q-fr5w @fastify/middie vulnerable to middleware authentication bypass in child plugin scopes
History

Thu, 16 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Fastify
Fastify middie
Vendors & Products Fastify
Fastify middie

Thu, 16 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Description @fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This allows unauthenticated requests to reach routes defined in child plugin scopes, bypassing authentication and authorization checks. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds.
Title @fastify/middie vulnerable to middleware authentication bypass in child plugin scopes
Weaknesses CWE-436
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Fastify Middie
cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-04-16T14:24:26.764Z

Reserved: 2026-04-14T11:08:51.828Z

Link: CVE-2026-6270

cve-icon Vulnrichment

Updated: 2026-04-16T14:24:22.614Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-16T14:16:19.433

Modified: 2026-04-17T15:17:00.957

Link: CVE-2026-6270

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T03:00:08Z

Weaknesses