CVE-2026-33806 Overview
CVE-2026-33806 is an Input Validation Error vulnerability affecting Fastify, a popular Node.js web framework. Applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. While the request body is still parsed correctly, schema validation is completely skipped, allowing malicious or malformed data to reach application logic without proper validation.
This vulnerability is a regression introduced in Fastify versions >= 5.3.2 as a result of the fix for CVE-2025-32442.
Critical Impact
Attackers can bypass input validation by manipulating the Content-Type header, potentially leading to data integrity issues, injection attacks, or application logic abuse.
Affected Products
- Fastify >= 5.3.2 and < 5.8.5
Discovery Timeline
- 2026-04-15 - CVE-2026-33806 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-33806
Vulnerability Analysis
This vulnerability stems from improper handling of Content-Type header values during request processing. When Fastify's schema.body.content feature is used to define per-content-type validation schemas, the framework fails to properly normalize the Content-Type header before performing schema lookups. By prepending whitespace (such as a space character) to the Content-Type header value, an attacker can cause the schema lookup to fail silently, resulting in no validation being applied to the request body.
The vulnerability is classified under CWE-1287 (Improper Validation of Specified Type of Input), as the framework fails to properly validate and normalize the Content-Type header format before using it for critical security decisions. The network-based attack vector allows remote exploitation without authentication, and successful exploitation directly impacts data integrity by allowing unvalidated input to reach application handlers.
Root Cause
The root cause lies in the Content-Type header parsing logic introduced as part of the fix for CVE-2025-32442. The regression occurs because the updated code path does not trim or normalize whitespace from the Content-Type header value before comparing it against defined schema content types. This creates a mismatch between the parsed body (which correctly handles whitespace) and the validation lookup (which does not), resulting in validation being bypassed entirely.
Attack Vector
The attack is straightforward to execute. An attacker sends a request to a Fastify endpoint with a modified Content-Type header containing a leading space character. For example, instead of sending Content-Type: application/json, the attacker sends Content-Type: application/json (note the extra space). The body parser correctly identifies and parses the JSON content, but the schema validation system fails to find a matching content-type entry and skips validation entirely.
This allows an attacker to submit arbitrary data that would normally be rejected by the application's validation schema. The impact depends on what the application does with unvalidated input—ranging from data corruption to more severe injection vulnerabilities if downstream components assume input has been sanitized.
Detection Methods for CVE-2026-33806
Indicators of Compromise
- HTTP requests with malformed or whitespace-prefixed Content-Type headers
- Application logs showing unexpected input formats reaching business logic
- Data integrity issues in backend systems receiving unvalidated input
- Increased error rates in downstream services processing malformed data
Detection Strategies
- Monitor incoming HTTP requests for Content-Type headers with leading whitespace characters
- Implement Web Application Firewall (WAF) rules to normalize or reject malformed Content-Type headers
- Add application-level logging to track when schema validation is skipped unexpectedly
- Review access logs for patterns of requests with unusual Content-Type header variations
Monitoring Recommendations
- Enable detailed request logging in Fastify to capture full header values
- Set up alerts for unusual Content-Type header patterns in request logs
- Monitor application behavior metrics for anomalies in data validation rates
- Implement runtime application self-protection (RASP) to detect validation bypass attempts
How to Mitigate CVE-2026-33806
Immediate Actions Required
- Upgrade Fastify to version 5.8.5 or later immediately
- Review application logs for evidence of exploitation attempts
- Audit any data processed during the vulnerable window for integrity issues
- Implement WAF rules to normalize Content-Type headers as a defense-in-depth measure
Patch Information
The vulnerability is addressed in Fastify version 5.8.5. Organizations should upgrade to this version or later as soon as possible. For detailed information about the security fix, refer to the GitHub Fastify Security Advisory and the OpenJS Foundation Security Advisories.
Workarounds
- No workarounds are available for this vulnerability
- Upgrade to Fastify v5.8.5 or later is the only remediation path
- As a temporary measure, consider implementing reverse proxy-level header normalization to strip leading whitespace from Content-Type headers
# Upgrade Fastify to patched version
npm update fastify@5.8.5
# Verify installed version
npm list fastify
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
