Home / Vulnerability Intelligence / CVE-2026-33807

CVE-2026-33807 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: April 15, 2026

@fastify/express - Broken Access Control

Published: April 15, 2026Updated: April 15, 2026Remote Exploitable

Overview

@fastify/express <= 4.0.4 contains a path handling bug in onRegister function causing middleware paths to be doubled in child plugins, letting attackers bypass middleware security controls, exploit requires no special conditions.

Severity & Score

Severity: Critical

CVSS Score: 9.1

Impact

Attackers can bypass authentication, authorization, and rate limiting, compromising security of all routes in affected child plugins.

Mitigation

Upgrade to @fastify/express v4.0.5 or later.

References

https://cna.openjsf.org/security-advisories.html
https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-33807
Severity: Critical
CVSS Score: 9.1
Type: broken_access_control
Status: new

CWE

CWE-436

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N