CVE-2026-6556 | @fastify/express versions 4.0.6 and earlier only rewrite the… | CVSS 9.1 CRITICAL

Description

@fastify/express versions 4.0.6 and earlier only rewrite the plugin prefix for middleware mount paths when the path argument is a string. Non-string mount paths (arrays of paths and regular expressions) are left unprefixed inside prefixed plugin scopes, so middleware registered with those forms does not match the actual prefixed request path. Applications that use path-scoped middleware for authentication, authorization, rate limiting, or auditing on routes inside a prefixed scope can be bypassed by sending a request to the prefixed route, because Fastify still matches the route but the middleware is skipped. Patches: upgrade to @fastify/express 4.0.7. Workarounds: use string mount paths instead of arrays or regular expressions in prefixed plugins, or register one use call per path.

Metadata

CVE ID: CVE-2026-6556
State: PUBLISHED
Assigner: openjs
Reserved: 2026-04-18 09:00 UTC
Published: 2026-06-30 12:48 UTC
Last updated: 2026-06-30 13:30 UTC
Primary CWE: CWE-285
CWE-285: Improper Authorization
Vendor / Product: @fastify/express / @fastify/express
Sources: cve.org · NVD

Severity & Metrics

9.1 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
@fastify/express	@fastify/express	—	0 < 4.0.7, 4.0.7

Weakness (CWE)

CWE	Source	Description
CWE-285	cna	CWE-285: Improper Authorization

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.1	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References (2)