Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-14198

CVE-2026-14198: Fastify/middie Auth Bypass Vulnerability

CVE-2026-14198 is an authentication bypass flaw in Fastify/middie versions 9.1.0 through 9.3.2 that allows attackers to bypass middleware security controls using encoded slashes. This post covers technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2026-14198 Overview

CVE-2026-14198 is a middleware bypass vulnerability in @fastify/middie versions 9.1.0 through 9.3.2. The flaw allows attackers to bypass middleware-based security controls by sending a crafted URL containing an encoded slash (%2F) in a path parameter position. @fastify/middie decodes %2F before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. This inconsistency lets a request reach a protected route handler without triggering middleware used for authentication, authorization, rate limiting, or auditing.

Critical Impact

Attackers can bypass middleware-enforced authentication and authorization on parameterized routes with a single unauthenticated HTTP request, regardless of HTTP method.

Affected Products

  • @fastify/middie 9.1.0 through 9.3.2 (Node.js)
  • Fastify applications using parameterized middleware paths for security decisions
  • Downstream services relying on middie middleware for authorization or rate limiting

Discovery Timeline

  • 2026-07-01 - CVE-2026-14198 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-14198

Vulnerability Analysis

The vulnerability is an authentication bypass caused by interpretation conflict [CWE-436] between two request-handling layers. @fastify/middie normalizes the request path by decoding percent-encoded characters, including %2F, before comparing the path against registered middleware patterns. Fastify's router uses the raw, still-encoded path when resolving route handlers. The two layers therefore disagree on the canonical path for the same request.

When a developer registers middleware on a parameterized path such as /users/:id, the middleware layer only matches when it interprets the request path as containing a single segment for :id. An attacker who submits %2F inside the parameter value causes middie to see multiple segments and skip the middleware match. Fastify's router still resolves the request to the intended handler because it treats %2F as literal parameter content. The protected handler executes without any middleware running against the request.

Root Cause

The root cause is inconsistent path canonicalization between @fastify/middie and Fastify's core router. Middie applies URL decoding before path matching; the router preserves encoding. This violates the principle that all security-relevant layers must operate on the same canonical representation of an input.

Attack Vector

Exploitation requires no authentication, no user interaction, and no special preconditions. An attacker sends a single HTTP request to a parameterized route where %2F is placed inside the parameter value. The attack is HTTP method agnostic and works against any endpoint where middie middleware enforces a security decision on a parameterized path. See the GitHub Security Advisory GHSA-2v46-jxjm-7q3v for technical details.

Detection Methods for CVE-2026-14198

Indicators of Compromise

  • Access log entries containing %2F inside path parameter positions on routes protected by middie middleware.
  • Successful responses (2xx) from protected handlers with no corresponding middleware log entry for the same request ID.
  • Sudden divergence between middleware invocation counts and handler invocation counts on parameterized endpoints.

Detection Strategies

  • Inventory Fastify applications and identify installations of @fastify/middie at versions 9.1.0 through 9.3.2.
  • Add request correlation logging that records both middleware execution and handler execution for each request ID, then alert on mismatches.
  • Deploy web application firewall rules that flag or block requests containing %2F within path segments corresponding to route parameters.

Monitoring Recommendations

  • Monitor authentication and authorization audit logs for gaps where a protected resource was served without a preceding auth event.
  • Track HTTP request telemetry for encoded slash patterns across all parameterized endpoints.
  • Review rate limiting counters for anomalous unattributed traffic that reached handlers without incrementing middleware-tracked counts.

How to Mitigate CVE-2026-14198

Immediate Actions Required

  • Upgrade @fastify/middie to version 9.3.3 or later across all affected services.
  • Audit application code for parameterized middleware paths that enforce authentication, authorization, rate limiting, or auditing.
  • Move security-critical checks out of middie middleware and into Fastify hooks that execute after route resolution.

Patch Information

The fix is available in @fastify/middie version 9.3.3. Upgrade using npm install @fastify/middie@9.3.3 or the equivalent command for your package manager, then redeploy affected services. Refer to the OpenJSF Security Advisories and the GitHub Security Advisory GHSA-2v46-jxjm-7q3v for release notes.

Workarounds

  • Avoid using parameterized middleware paths for security decisions until the upgrade is deployed.
  • Enforce authentication and authorization inside the route handler itself, where Fastify has already resolved the request path.
  • Register a Fastify preHandler or onRequest hook that runs after the router resolves the request, ensuring the security check sees the same path as the handler.
  • Configure an upstream proxy or WAF to reject requests containing %2F inside path parameter positions.
bash
# Upgrade @fastify/middie to the patched release
npm install @fastify/middie@9.3.3
npm ls @fastify/middie

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.