Cache Middleware Vulnerability in Fiber Web Framework by Go
CVE-2026-30246

6.5MEDIUM

Key Information:

Vendor

Gofiber

Status
Fiber
Vendor
CVE Published:
5 May 2026

What is CVE-2026-30246?

The Fiber web framework for Go exhibits an issue within its cache middleware where the default key generator relies solely on the request path, neglecting the request's query string. This oversight can lead to different requests that share the same path but contain varying query parameters being assigned the same cache key. Consequently, it could result in incorrect data being returned to users accessing query-dependent endpoints, potentially exposing sensitive information intended for other requests. This flaw has been corrected in versions subsequent to 3.1.0.

Affected Version(s)

fiber >= v3.0.0-beta.2, < 3.1.0

References

https://github.com/gofiber/fiber/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/gofiber/fiber/blob/main/middleware/cac...
x_refsource_MISC
https://github.com/gofiber/fiber/blob/main/middleware/cac...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.