Middleware Bypass Vulnerability in @fastify/middie Plugin
CVE-2026-22031

8.4HIGH

Key Information:

Vendor

Fastify

Status
Middie
Vendor
CVE Published:
19 January 2026

What is CVE-2026-22031?

A vulnerability exists in the @fastify/middie plugin prior to version 9.1.0, where specific path prefixes can be exploited using URL-encoded characters to bypass registered middleware. This occurs because the middleware engine fails to properly match the encoded paths, while the Fastify router decodes them correctly, granting attackers access to protected endpoints without the intended middleware restrictions. The issue is resolved in version 9.1.0, emphasizing the importance of regular updates and security reviews.

Affected Version(s)

middie < 9.1.0

References

https://github.com/fastify/middie/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/fastify/middie/pull/245
x_refsource_MISC
https://github.com/fastify/middie/commit/d44cd56eb724490b...
x_refsource_MISC

CVSS V3.1

Score:
8.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.