CVE-2026-30246 Overview
CVE-2026-30246 affects the Fiber web framework for Go, specifically the cache middleware in github.com/gofiber/fiber/v3 versions through 3.1.0. The default key generator builds cache keys from the request path only and ignores the query string. Requests sharing the same path but using different query parameters collide on the same cache key. As a result, the middleware can return a cached response intended for a different request, exposing data across query-dependent endpoints.
Critical Impact
Cross-request response mix-up in cached endpoints can leak data between unrelated users or queries on the same path [CWE-436].
Affected Products
- Fiber v3 (github.com/gofiber/fiber/v3) versions through 3.1.0
- Applications using the default KeyGenerator in the Fiber cache middleware
- Query-dependent HTTP endpoints fronted by the affected cache middleware
Discovery Timeline
- 2026-05-05 - CVE-2026-30246 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-30246
Vulnerability Analysis
The Fiber cache middleware stores HTTP responses keyed by a generator function. In versions through 3.1.0, the default KeyGenerator returns only c.Path() and omits c.Request().URI().QueryString(). Two requests targeting the same route with distinct query parameters resolve to the same cache entry. The middleware serves whichever response was cached first to subsequent callers, regardless of their query inputs.
This behavior is classified as an interpretation conflict [CWE-436]: the cache layer treats requests as equivalent while the application logic treats them as distinct. Endpoints that rely on query parameters for filtering, pagination, tenancy, or user-specific lookups can return another user's data. The flaw is exploitable over the network without authentication or user interaction, although the attacker depends on the victim's traffic patterns to influence what gets cached.
Root Cause
The root cause is an incomplete cache key derivation in the default configuration of the cache middleware. The key generator hashes only the request path, omitting the query string component of the URI. Any variance encoded in query parameters is collapsed into a single cache bucket, breaking the contract that cache keys uniquely identify a response.
Attack Vector
An attacker issues a request to a query-dependent endpoint to seed the cache with a specific response. Subsequent legitimate requests for the same path with different query parameters receive the attacker-influenced cached response within the cache TTL window. Conversely, an attacker can request a popular endpoint and read another user's cached response containing sensitive query-driven output. Exploitation requires only network access to the affected application.
No verified public exploit code is available. See the GitHub Security Advisory GHSA-35hp-hqmv-8qg8 and the affected cache configuration source for technical details.
Detection Methods for CVE-2026-30246
Indicators of Compromise
- Application logs showing identical response bodies served to requests with differing query strings on the same path.
- User reports of seeing data belonging to other users or unrelated queries on cached endpoints.
- Cache hit metrics that remain abnormally high across endpoints whose responses should vary by query parameter.
Detection Strategies
- Audit Go module dependencies for github.com/gofiber/fiber/v3 at version 3.1.0 or earlier using go list -m all.
- Grep application code for cache.New( invocations that do not override KeyGenerator with a function including the query string.
- Replay representative requests with varied query parameters and compare response bodies and X-Cache headers for unexpected equality.
Monitoring Recommendations
- Instrument cache middleware to log the generated key alongside the full request URI for offline analysis.
- Alert on responses where cached Content-Length or response hash matches across requests that should differ by query parameter.
- Track per-endpoint cache hit ratios and investigate query-dependent routes with hit ratios approaching 100%.
How to Mitigate CVE-2026-30246
Immediate Actions Required
- Upgrade github.com/gofiber/fiber/v3 to a release after 3.1.0 that contains the fix.
- Until the upgrade is deployed, disable the cache middleware on endpoints whose responses depend on query parameters.
- Override the default KeyGenerator to incorporate the request query string for any retained cache configuration.
Patch Information
The issue is fixed in releases of github.com/gofiber/fiber/v3 after version 3.1.0. Refer to the GitHub Security Advisory GHSA-35hp-hqmv-8qg8 for the patched version and changelog. Review the corresponding cache middleware tests to validate the corrected key derivation behavior.
Workarounds
- Provide a custom KeyGenerator that returns c.Path() + "?" + string(c.Request().URI().QueryString()) or a hash thereof.
- Exclude query-dependent routes from caching using the Next predicate to skip the middleware for those handlers.
- Reduce cache Expiration to minimize the window in which a mismatched response can be served while remediation is in progress.
# Configuration example
go get github.com/gofiber/fiber/v3@latest
go mod tidy
go list -m github.com/gofiber/fiber/v3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
