Path Traversal Vulnerability in @fastify/static by Fastify
CVE-2026-6414

5.9MEDIUM

Key Information:

Vendor: @fastify/static
Status: @fastify/static
Vendor: CVE Published:; 16 April 2026

🔔 Create @fastify/static Vulnerability Alert

What is CVE-2026-6414?

The @fastify/static package in versions 8.0.0 through 9.1.0 contains a vulnerability that allows an attacker to circumvent route-based middleware protections by exploiting the decoding of percent-encoded path separators (%2F) before filesystem resolution. This inconsistency between how paths are handled can lead to unauthorized access to protected files. Users are strongly recommended to upgrade to @fastify/static version 9.1.1 or higher, as there are no workarounds available to mitigate this risk.

Affected Version(s)

@fastify/static 8.0.0 < 9.1.1

@fastify/static 9.1.1

References

https://github.com/fastify/middie/security/advisories/GHS...

https://github.com/honojs/hono/security/advisories/GHSA-q...

https://github.com/fastify/fastify-static/security/adviso...

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2026
Vulnerability Reserved
Apr 15, 2026

Credit

blakeembrey

mcollina

UlisesGascon

climba03003

CVE-2026-6414 Data

JSON