What is the CVSS score of CVE-2026-3635?

CVE-2026-3635 has a CVSS 3.1 base score of 6.1 (Medium). CVSS vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Red Hat are affected by CVE-2026-3635?

Organizations using Summary When trustProxy should be aware of moderate risk from CVE-2026-3635 rated CVSS 6.1. Exploitation could compromise the security of affected deployments.. A patch is available.

Red Hat CVE-2026-3635

Q: How to fix or mitigate CVE-2026-3635?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

EUVD-2026-14431 MEDIUM

Use of Less Trusted Source (CWE-348)

2026-03-23 openjs

GHSA-444r-cwp2-x5xf

CSRF Red Hat

6.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 23, 2026 - 14:00 euvd

EUVD-2026-14431

Analysis Generated

Mar 23, 2026 - 14:00 vuln.today

CVE Published

Mar 23, 2026 - 13:53 nvd

MEDIUM 6.1

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

24 npm packages depend on fastify (10 direct, 14 indirect)

Ecosystem-wide dependent count for version 5.8.3.

DescriptionNVD

Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection - including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application.

Affected Versions fastify <= 5.8.2

Impact Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function.

When trustProxy: true (trust everything), both host and protocol trust all forwarded headers - this is expected behavior. The vulnerability only manifests with restrictive trust configurations.

AnalysisAI

Fastify versions 5.8.2 and earlier contain a header spoofing vulnerability in the trustProxy implementation where the request.protocol and request.host getters incorrectly trust X-Forwarded-Proto and X-Forwarded-Host headers even from untrusted connections when a restrictive trust function is configured. An attacker who can connect directly to a Fastify instance (bypassing the intended proxy) can spoof protocol and host values, potentially bypassing HTTPS enforcement, manipulating secure cookie behavior, and defeating CSRF origin checks. …

RemediationAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory