Which versions of Astro are affected by CVE-2026-33769?

CVE-2026-33769 is a low-severity vulnerability in Astro involving input validation (CVSS 2.9).. A patch is available.

How to fix or mitigate CVE-2026-33769?

During next maintenance window: Apply vendor patches when convenient. Verify input validation controls are in place.

Astro CVE-2026-33769

Q: What is the CVSS score of CVE-2026-33769?

CVE-2026-33769 has a CVSS 4.0 base score of 2.9 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-14984 LOW

Improper Input Validation (CWE-20)

2026-03-24 GitHub_M

GHSA-g735-7g2w-hh3f

Information Disclosure Astro

2.9

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

2.9 LOW

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 24, 2026 - 19:00 euvd

EUVD-2026-14984

Analysis Generated

Mar 24, 2026 - 19:00 vuln.today

CVE Published

Mar 24, 2026 - 18:44 nvd

LOW 2.9

DescriptionGitHub Advisory

Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for /* wildcards is unanchored, so a pathname that contains the allowed prefix later in the path can still match. As a result, an attacker can fetch paths outside the intended allowlisted prefix on an otherwise allowed host. This issue has been patched in version 5.18.1.

AnalysisAI

Astro's remotePatterns path enforcement contains a logic flaw where wildcard matching for /* is unanchored, allowing attackers to bypass path restrictions and access unintended resources on allowed hosts. Versions 2.10.10 through 5.18.0 are affected, enabling information disclosure through server-side image optimization endpoints and other remote fetchers. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	Without CVSS or EPSS scores provided, risk assessment relies on the technical details and metadata available. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker identifies that a target organization uses Astro with remotePatterns configured to allow https://cdn.example.com/public/*. The attacker crafts a request to the Astro image optimization endpoint requesting an image from https://cdn.example.com/secret-admin/public/config.json, which bypasses the intended restriction because the allowlisted prefix /public/ appears later in the path. …
Remediation	Immediately upgrade Astro to version 5.18.1 or later, which contains the patch correcting the unanchored wildcard matching logic in remotePatterns enforcement. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

During next maintenance window: Apply vendor patches when convenient. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33769 vulnerability details – vuln.today

Back