Authorization Bypass in Astro Web Framework Affects Version 6.4.7
CVE-2026-59731

8.2HIGH

Key Information:

Vendor

Withastro

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-59731?

The Astro web framework, particularly in version 6.4.7, is susceptible to a security flaw that allows for unauthorized access to protected routes. This occurs due to the framework's reliance on a partially decoded pathname after it hits the iterative URL decoder limit during authorization decisions. Subsequently, the routing process may incorrectly permit access to these secured routes following an additional decodeURI() operation. Versions following 6.4.7 address this vulnerability, emphasizing the importance of upgrading to version 6.4.8 or later.

Affected Version(s)

astro >= 6.4.7, < 6.4.8

References

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.