Skip to main content

Nuxt EUVD-2026-36427

| CVE-2026-53721 HIGH
Improper Handling of Case Sensitivity (CWE-178)
2026-06-12 GitHub_M GHSA-mm7m-92g8-7m47
Authentication Bypass Nuxt
8.8
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.2 HIGH

Remote unauthenticated case-flip bypass of routeRules middleware over HTTP yields AV:N/AC:L/PR:N/UI:N; primary impact is exposing gated content (C:H) with limited integrity effect from missed redirects/headers (I:L) and no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 12, 2026 - 16:01 EUVD
Source Code Evidence Fetched
Jun 12, 2026 - 14:52 vuln.today
Analysis Generated
Jun 12, 2026 - 14:52 vuln.today

DescriptionCVE.org

Nuxt is an open-source web development framework for Vue.js. From versions 3.11.0 to before 3.21.7 and 4.0.0 to before 4.4.7, there is a route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher. This issue has been patched in versions 3.21.7 and 4.4.7.

AnalysisAI

Route-rule middleware bypass in Nuxt 3.11.0-3.21.6 and 4.0.0-4.4.6 allows remote attackers to evade routeRules-defined protections (authentication, redirects, headers, prerender/SSR controls) by simply varying URL case, because vue-router matches paths case-insensitively while the routeRules matcher matched case-sensitively. The fix in 3.21.7 and 4.4.7 lowercases the path before matching. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Enumerate Nuxt app routes
Delivery
Identify routeRule-protected path
Exploit
Request same path with altered case
Execution
Bypass routeRules middleware
Impact
Access protected resource or content
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target application must be a Nuxt app on 3.11.0-3.21.6 or 4.0.0-4.4.6 that defines at least one routeRules entry whose security effect (authentication gate, redirect, security headers, or restricted prerender/SSR behavior) the attacker wants to evade, and the rule's path pattern must contain at least one character whose case can be flipped while still being routed by vue-router to the same handler. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L) rates this 8.8 High, treating it as a fully remote, unauthenticated bypass with high confidentiality impact, which is consistent with how routeRules are commonly used to gate sensitive areas. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker browsing a Nuxt-built site notices that /admin returns a login challenge defined by a routeRule, then requests /Admin or /ADMIN; vue-router resolves it to the same admin page component while the routeRules matcher fails to apply the auth/redirect/header rule, granting unauthenticated access to the protected view or revealing prerendered/SSR-only content. No special tooling is required - a browser address-bar edit or curl with a case-shifted path suffices - and no public weaponized exploit is identified at time of analysis.
Remediation Vendor-released patch: upgrade to Nuxt 3.21.7 on the 3.x line or 4.4.7 on the 4.x line, per advisory GHSA-mm7m-92g8-7m47 (https://github.com/nuxt/nuxt/security/advisories/GHSA-mm7m-92g8-7m47); the fix normalizes the path with toLowerCase() before routeRules matching so it aligns with vue-router's case-insensitive routing. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Audit production environment to identify all Nuxt 3 and 4 applications and their versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49993 MEDIUM POC
5.9 Jun 12

Source code exfiltration in Nuxt's @nuxt/webpack-builder and @nuxt/rspack-builder (versions 3.15.4-3.21.6 and 4.0.0-alph
CVE-2026-53722 MEDIUM POC
5.1 Jun 12

Reflected DOM-based XSS in Nuxt's built-in <NuxtLink> component allows an unauthenticated attacker to inject script-capa

Share

EUVD-2026-36427 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy