Skip to main content

@fastify/express CVE-2026-6556

| EUVDEUVD-2026-40309 CRITICAL
Improper Authorization (CWE-285)
2026-06-30 ce714d77-add3-4f53-aff5-83d477b104bb
9.1
CVSS 3.1 · Vendor: ce714d77-add3-4f53-aff5-83d477b104bb
Share

Severity by source

Vendor (ce714d77-add3-4f53-aff5-83d477b104bb) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
7.4 HIGH

Network and unauthenticated (AV:N/PR:N), but AC:H because exploitation depends on the app using array/RegExp mount paths for security middleware in a prefixed scope; high C/I from bypassed authz, no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (ce714d77-add3-4f53-aff5-83d477b104bb).

CVSS VectorVendor: ce714d77-add3-4f53-aff5-83d477b104bb

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jun 30, 2026 - 15:01 EUVD
Analysis Generated
Jun 30, 2026 - 13:33 vuln.today

DescriptionCVE.org

@fastify/express versions 4.0.6 and earlier only rewrite the plugin prefix for middleware mount paths when the path argument is a string. Non-string mount paths (arrays of paths and regular expressions) are left unprefixed inside prefixed plugin scopes, so middleware registered with those forms does not match the actual prefixed request path. Applications that use path-scoped middleware for authentication, authorization, rate limiting, or auditing on routes inside a prefixed scope can be bypassed by sending a request to the prefixed route, because Fastify still matches the route but the middleware is skipped. Patches: upgrade to @fastify/express 4.0.7. Workarounds: use string mount paths instead of arrays or regular expressions in prefixed plugins, or register one use call per path.

AnalysisAI

Authorization bypass in the @fastify/express middleware-compatibility plugin (versions 4.0.6 and earlier) lets unauthenticated remote attackers reach protected routes inside prefixed Fastify plugin scopes when security middleware is mounted using array or regular-expression paths. Because those non-string mount paths are never rewritten with the plugin prefix, authentication, authorization, rate-limiting, or auditing middleware silently fails to match the real request path and is skipped while Fastify still routes the request to the handler. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify prefixed route behind array/RegExp-mounted middleware
Delivery
Send unauthenticated request to prefixed path
Exploit
Fastify matches route but skips middleware
Execution
Access protected handler without authorization
Impact
Read or modify protected data

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application uses @fastify/express (≤4.0.6) and registers path-scoped middleware - specifically middleware performing authentication, authorization, rate limiting, or auditing - inside a Fastify plugin that is mounted under a path prefix, AND that this middleware is declared with a non-string mount path (an array of paths or a regular expression) rather than a string. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, base 9.1) describes a network-reachable, unauthenticated, low-complexity bypass with high confidentiality and integrity impact and no availability impact, which is consistent with an auth/authz control being skipped. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A developer protects /api/admin routes by registering an authentication middleware in a prefixed plugin using a RegExp or array mount path; because the prefix is never applied, the middleware never matches and is skipped. An unauthenticated attacker simply sends a normal HTTP request to the real prefixed route (e.g. …
Remediation Vendor-released patch: 4.0.7 - upgrade @fastify/express to 4.0.7 or later, which restores prefix rewriting for non-string mount paths, per GHSA-3wf5-7852-vcfq (https://github.com/fastify/fastify-express/security/advisories/GHSA-3wf5-7852-vcfq). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running @fastify/express 4.0.6 or earlier and assess exposure; systems using array or regex-based route prefixes require priority assessment. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-6556 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy