Vulnerability in Fastify Applications Affecting Content-Type Validation
CVE-2026-33806

7.5HIGH

Key Information:

Vendor: Fastify
Status: Fastify
Vendor: CVE Published:; 15 April 2026

What is CVE-2026-33806?

A vulnerability exists in Fastify applications that utilize schema.body.content for body validation per content type. An attacker can exploit this issue by prepending a space to the Content-Type header, leading to the bypass of validation checks without compromising the body parsing. This security flaw was introduced in Fastify version 5.3.2 as a regression from a previous fix. To mitigate this issue, users are advised to upgrade to Fastify version 5.8.5 or higher, as there are currently no workarounds available.

Affected Version(s)

fastify 5.3.2 < 5.8.5

fastify 5.8.5

References

https://github.com/fastify/fastify/security/advisories/GH...

https://cna.openjsf.org/security-advisories.html

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Mar 23, 2026

Credit

mcollina

climba03003

jsumners

UlisesGascon

Vyntral

CVE-2026-33806 Data

JSON