CVE-2026-14198 Overview
CVE-2026-14198 is a middleware bypass vulnerability in @fastify/middie versions 9.1.0 through 9.3.2. The flaw allows attackers to bypass middleware-based security controls by sending a crafted URL containing an encoded slash (%2F) in a path parameter position. @fastify/middie decodes %2F before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. This inconsistency lets a request reach a protected route handler without triggering middleware used for authentication, authorization, rate limiting, or auditing.
Critical Impact
Attackers can bypass middleware-enforced authentication and authorization on parameterized routes with a single unauthenticated HTTP request, regardless of HTTP method.
Affected Products
- @fastify/middie 9.1.0 through 9.3.2 (Node.js)
- Fastify applications using parameterized middleware paths for security decisions
- Downstream services relying on middie middleware for authorization or rate limiting
Discovery Timeline
- 2026-07-01 - CVE-2026-14198 published to NVD
- 2026-07-02 - Last updated in NVD database
Technical Details for CVE-2026-14198
Vulnerability Analysis
The vulnerability is an authentication bypass caused by interpretation conflict [CWE-436] between two request-handling layers. @fastify/middie normalizes the request path by decoding percent-encoded characters, including %2F, before comparing the path against registered middleware patterns. Fastify's router uses the raw, still-encoded path when resolving route handlers. The two layers therefore disagree on the canonical path for the same request.
When a developer registers middleware on a parameterized path such as /users/:id, the middleware layer only matches when it interprets the request path as containing a single segment for :id. An attacker who submits %2F inside the parameter value causes middie to see multiple segments and skip the middleware match. Fastify's router still resolves the request to the intended handler because it treats %2F as literal parameter content. The protected handler executes without any middleware running against the request.
Root Cause
The root cause is inconsistent path canonicalization between @fastify/middie and Fastify's core router. Middie applies URL decoding before path matching; the router preserves encoding. This violates the principle that all security-relevant layers must operate on the same canonical representation of an input.
Attack Vector
Exploitation requires no authentication, no user interaction, and no special preconditions. An attacker sends a single HTTP request to a parameterized route where %2F is placed inside the parameter value. The attack is HTTP method agnostic and works against any endpoint where middie middleware enforces a security decision on a parameterized path. See the GitHub Security Advisory GHSA-2v46-jxjm-7q3v for technical details.
Detection Methods for CVE-2026-14198
Indicators of Compromise
- Access log entries containing %2F inside path parameter positions on routes protected by middie middleware.
- Successful responses (2xx) from protected handlers with no corresponding middleware log entry for the same request ID.
- Sudden divergence between middleware invocation counts and handler invocation counts on parameterized endpoints.
Detection Strategies
- Inventory Fastify applications and identify installations of @fastify/middie at versions 9.1.0 through 9.3.2.
- Add request correlation logging that records both middleware execution and handler execution for each request ID, then alert on mismatches.
- Deploy web application firewall rules that flag or block requests containing %2F within path segments corresponding to route parameters.
Monitoring Recommendations
- Monitor authentication and authorization audit logs for gaps where a protected resource was served without a preceding auth event.
- Track HTTP request telemetry for encoded slash patterns across all parameterized endpoints.
- Review rate limiting counters for anomalous unattributed traffic that reached handlers without incrementing middleware-tracked counts.
How to Mitigate CVE-2026-14198
Immediate Actions Required
- Upgrade @fastify/middie to version 9.3.3 or later across all affected services.
- Audit application code for parameterized middleware paths that enforce authentication, authorization, rate limiting, or auditing.
- Move security-critical checks out of middie middleware and into Fastify hooks that execute after route resolution.
Patch Information
The fix is available in @fastify/middie version 9.3.3. Upgrade using npm install @fastify/middie@9.3.3 or the equivalent command for your package manager, then redeploy affected services. Refer to the OpenJSF Security Advisories and the GitHub Security Advisory GHSA-2v46-jxjm-7q3v for release notes.
Workarounds
- Avoid using parameterized middleware paths for security decisions until the upgrade is deployed.
- Enforce authentication and authorization inside the route handler itself, where Fastify has already resolved the request path.
- Register a Fastify preHandler or onRequest hook that runs after the router resolves the request, ensuring the security check sees the same path as the handler.
- Configure an upstream proxy or WAF to reject requests containing %2F inside path parameter positions.
# Upgrade @fastify/middie to the patched release
npm install @fastify/middie@9.3.3
npm ls @fastify/middie
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

