Middleware Bypass in Fastify Plugin by Fastify
CVE-2026-22037

8.4HIGH

Key Information:

Vendor: Fastify
Status: Fastify-express
Vendor: CVE Published:; 19 January 2026

What is CVE-2026-22037?

A security issue exists in the @fastify/express plugin for Fastify, where middleware registered with specific path prefixes can be bypassed using URL-encoded characters. For example, the encoded URL /%61dmin can allow access to the /admin route, circumventing the middleware constraints due to a failure in matching the encoded path. This allows attackers to reach protected endpoints without the proper middleware checks. Version 4.0.3 of the @fastify/express plugin has released a patch to mitigate this vulnerability.

Affected Version(s)

fastify-express < 4.0.3

References

https://github.com/fastify/fastify-express/security/advis...

x_refsource_CONFIRM

https://github.com/fastify/fastify-express/commit/dc02a3f...

x_refsource_MISC

CVSS V3.1

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 19, 2026
Vulnerability Reserved
Jan 5, 2026

CVE-2026-22037 Data

JSON