CVE-2026-6270

Description

### Impact `@fastify/middie` v9.3.1 and earlier incorrectly re-prefixes middleware paths when propagating them to child plugin scopes. When a child plugin is registered with a prefix that overlaps with a parent-scoped middleware path, the middleware path is modified during inheritance and silently fails to match incoming requests. This results in complete bypass of middleware security controls for all routes defined within affected child plugin scopes, including nested (grandchild) scopes. Authentication, authorization, rate limiting, and any other middleware-based security mechanisms are skipped. No special request crafting or configuration is required. This is the same vulnerability class as [GHSA-hrwm-hgmj-7p9c](https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c) (CVE-2026-33807) in `@fastify/express`. ### Patches Upgrade to `@fastify/middie` v9.3.2 or later. ### Workarounds None. Upgrade to the patched version.

How to fix CVE-2026-6270

To remediate CVE-2026-6270, upgrade the affected package to a fixed version below.

• —upgrade to 9.3.2 or later

Is CVE-2026-6270 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 9.3.2

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-6270
• PATCHgithub.com/fastify/middie
• WEBcna.openjsf.org/security-advisories.html
• WEBgithub.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c
• WEB