Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-47200

CVE-2026-47200: Nuxt Framework Auth Bypass Vulnerability

CVE-2026-47200 is an authentication bypass flaw in Nuxt framework affecting server island components. Route middleware is bypassed when pages are accessed via the island endpoint. This article covers technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2026-47200 Overview

CVE-2026-47200 is an access control weakness ([CWE-284]) in Nuxt, an open-source web development framework for Vue.js. When the experimental.componentIslands feature is enabled, which is the default in Nuxt 4, any .server.vue file under the pages/ directory is automatically registered as a server island. These islands are exposed through the /__nuxt_island/:name endpoint under the key page_<routeName>. Requests to that endpoint render the page component directly via the server-side rendering (SSR) renderer without instantiating Vue Router. As a result, route middleware declared on the page through definePageMeta({ middleware }) does not execute, allowing unauthenticated callers to bypass authorization checks.

Critical Impact

Attackers can request protected page components directly through the island endpoint, bypassing authentication and authorization middleware defined via definePageMeta.

Affected Products

  • Nuxt versions 3.11.0 to before 3.21.6
  • Nuxt versions 4.0.0-alpha.1 to before 4.4.6
  • @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6

Discovery Timeline

  • 2026-06-12 - CVE-2026-47200 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-47200

Vulnerability Analysis

Nuxt's component islands feature lets developers ship interactive server-rendered components. When experimental.componentIslands is enabled, the framework scans pages/ for .server.vue files and registers each one as a server island under the key page_<routeName>. Each island becomes reachable through the /__nuxt_island/:name endpoint.

The endpoint invokes the SSR renderer directly to produce island markup. The renderer never instantiates Vue Router during this code path. Because Nuxt's page middleware pipeline runs as part of Vue Router navigation, any guards declared with definePageMeta({ middleware }) are skipped entirely. Authentication checks, role validation, and feature flag enforcement that developers expect to gate page rendering never execute.

The issue is classified under [CWE-284] Improper Access Control. It does not corrupt memory or inject code. It exposes server-rendered output that should have required an authenticated session.

Root Cause

The root cause is a divergence between two rendering paths. The standard page render path runs middleware as part of router navigation. The island render path calls the SSR renderer directly without invoking the router, so any access control declared in definePageMeta is silently ignored. Developers who relied on page middleware to protect a .server.vue page had no signal that the island endpoint exposed the same component without those checks.

Attack Vector

An unauthenticated attacker sends an HTTP GET request to /__nuxt_island/page_<routeName> with the appropriate payload identifier for the target page. Nuxt resolves the corresponding .server.vue component, renders it server-side, and returns the response. No session cookie, bearer token, or role check intercepts the request. The attacker receives the rendered output for pages that were intended to be accessible only to authorized users. See the GitHub Security Advisory GHSA-hg3f-28rg-4jxj for the maintainer write-up.

Detection Methods for CVE-2026-47200

Indicators of Compromise

  • Unexpected HTTP requests to URIs matching the pattern /__nuxt_island/page_* in web server, reverse proxy, or CDN access logs.
  • Island endpoint responses returned with HTTP 200 to clients that have no authenticated session cookie or Authorization header.
  • Outbound responses from /__nuxt_island/ containing data fields normally restricted to authenticated users, such as account identifiers or internal links.

Detection Strategies

  • Inventory all .server.vue files under pages/ and confirm whether experimental.componentIslands is enabled in nuxt.config.ts.
  • Compare request volumes between standard page routes and the corresponding /__nuxt_island/page_<routeName> endpoints to surface direct island access.
  • Replay known authenticated page requests as anonymous requests against the island endpoint to confirm whether middleware is enforced after patching.

Monitoring Recommendations

  • Forward web access logs into a centralized analytics or SIEM platform and alert on anonymous 2xx responses from /__nuxt_island/ paths that correspond to protected pages.
  • Track the version of nuxt and @nuxt/nitro-server deployed in each environment so vulnerable releases are flagged during build and deploy.
  • Add synthetic monitoring that probes the island endpoint without credentials and alerts when access is permitted on pages tagged with middleware.

How to Mitigate CVE-2026-47200

Immediate Actions Required

  • Upgrade nuxt to version 3.21.6 or 4.4.6 and @nuxt/nitro-server to the matching patched release.
  • If an immediate upgrade is not possible, set experimental.componentIslands to false in nuxt.config.ts to disable automatic island registration for .server.vue pages.
  • Audit access logs for prior anonymous requests to /__nuxt_island/page_* paths to determine whether protected pages were retrieved before the patch was applied.

Patch Information

The maintainers fixed the issue in Nuxt 3.21.6 and 4.4.6, with matching releases for @nuxt/nitro-server. The patch ensures route middleware declared through definePageMeta executes before the SSR renderer returns island content. Review the Nuxt pull request 35092 for the implementation and the GitHub Security Advisory GHSA-hg3f-28rg-4jxj for upgrade guidance.

Workarounds

  • Disable experimental.componentIslands until the patched version is deployed, accepting the loss of island functionality.
  • Block external traffic to /__nuxt_island/ at the reverse proxy or web application firewall and restrict the endpoint to internal SSR calls only.
  • Re-implement authorization checks inside the affected .server.vue components themselves so the rendering path enforces access independently of router middleware.
bash
# Configuration example
# nuxt.config.ts workaround - disable component islands until patched
export default defineNuxtConfig({
  experimental: {
    componentIslands: false
  }
})

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne