CVE-2026-2880 in middie
Summary
by MITRE • 02/27/2026
A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)).
When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/19/2026
The vulnerability identified as CVE-2026-2880 resides within the @fastify/middie middleware plugin version 9.1.0 and earlier, presenting a critical authentication and authorization bypass flaw that can compromise protected application resources. This issue specifically affects applications that implement path-scoped middleware using the pattern app.use('/secret', auth) where middleware is applied to specific routes or route prefixes. The vulnerability stems from a fundamental mismatch between how Fastify's routing normalization processes handle request paths and how middleware authorization checks are executed, creating a window where maliciously crafted requests can traverse protected routes without proper authentication.
The technical root cause of this vulnerability lies in the interaction between Fastify's router normalization features and middleware execution flow. When router normalization options such as ignoreDuplicateSlashes, useSemicolonDelimiter, and trailing-slash handling are enabled, the framework normalizes incoming request paths before routing decisions are made. However, this normalization process occurs at a different stage than middleware authorization checks, creating a scenario where a request path that appears valid to the router normalization logic may not match the path used for middleware authorization validation. This discrepancy allows attackers to craft request URLs that bypass middleware checks while still successfully reaching protected handler functions, effectively circumventing the intended security controls.
The operational impact of this vulnerability is severe and can result in unauthorized access to sensitive application resources, user data exposure, and potential privilege escalation within affected systems. Attackers can exploit this vulnerability by constructing request paths that leverage the router normalization behavior to bypass authentication middleware while still being properly routed to protected endpoints. This creates a scenario where legitimate users might be denied access due to the middleware bypass, while unauthorized parties can gain access to resources that should be protected. The vulnerability is particularly dangerous in applications that rely on path-scoped middleware for role-based access control or sensitive resource protection, as it can lead to complete compromise of the application's security model.
Organizations using affected versions of @fastify/middie should immediately upgrade to version 9.2.0 or later to remediate this vulnerability. The fix addresses the core issue by ensuring that middleware authorization checks are performed against the same normalized paths that routing decisions are based upon, eliminating the mismatch that enables the bypass. Additionally, security teams should conduct comprehensive audits of their applications to identify any instances where path-scoped middleware is used with router normalization features enabled. This vulnerability aligns with CWE-284, which addresses improper access control, and maps to ATT&CK technique T1078.004 for valid accounts and T1566.001 for spearphishing attachments, as it enables unauthorized access through legitimate application paths. Organizations should also consider implementing additional monitoring and logging around authentication middleware execution to detect potential exploitation attempts, and review their Fastify application configurations to ensure that router normalization options are carefully evaluated for compatibility with security controls.