CVE-2026-6556 Overview
CVE-2026-6556 is an authorization bypass vulnerability in @fastify/express versions 4.0.6 and earlier. The plugin only rewrites the plugin prefix for middleware mount paths when the path argument is a string. Non-string mount paths, including arrays and regular expressions, remain unprefixed inside prefixed plugin scopes. Applications relying on path-scoped middleware for authentication, authorization, rate limiting, or auditing can be bypassed. Attackers send requests directly to the prefixed route, and Fastify matches the route while skipping the middleware entirely. The issue is tracked under [CWE-285] Improper Authorization and is fixed in version 4.0.7.
Critical Impact
Remote unauthenticated attackers can bypass authentication, authorization, rate limiting, and auditing middleware on prefixed Fastify routes.
Affected Products
- @fastify/express versions 4.0.6 and earlier
- Node.js applications using @fastify/express with prefixed plugin scopes
- Fastify applications registering middleware with array or regular expression mount paths
Discovery Timeline
- 2026-06-30 - CVE-2026-6556 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-6556
Vulnerability Analysis
The vulnerability resides in the path-prefix rewriting logic of @fastify/express. When a plugin registers with a prefix and mounts middleware using app.use(path, handler), the plugin rewrites path to include the plugin prefix. This rewriting only executes when path is a string.
When developers pass an array of paths or a regular expression to app.use(), the prefix is not applied. Fastify still registers the underlying route at the prefixed location, but the middleware handler binds to the unprefixed path. Requests to the prefixed route reach the handler without traversing the middleware chain.
The impact is direct authorization bypass. Middleware enforcing authentication tokens, role checks, tenant isolation, request quotas, or audit logging never executes. The route responds as if the middleware granted access. This category maps to [CWE-285] Improper Authorization.
Root Cause
The root cause is inconsistent handling of the path argument type inside the plugin's prefix rewrite logic. String paths are transformed to include the plugin prefix. Array and RegExp paths fall through the type check and are registered without modification, breaking the invariant that middleware mount paths align with route paths inside a prefixed scope.
Attack Vector
An unauthenticated remote attacker sends an HTTP request to a prefixed route protected by array-based or regex-based middleware. Because Fastify matches the prefixed route but the middleware is bound to a non-prefixed path, the request reaches the route handler without middleware evaluation. No authentication credentials, valid session, or user interaction is required. The attacker gains the same access as a fully authorized user for any endpoint gated only by the bypassed middleware.
Refer to the GitHub Security Advisory GHSA-3wf5-7852-vcfq for further technical detail.
Detection Methods for CVE-2026-6556
Indicators of Compromise
- Successful HTTP 2xx responses to protected prefixed routes without corresponding authentication log entries.
- Access log entries for sensitive endpoints missing audit middleware records that should accompany each request.
- Requests to prefixed routes that would normally trigger rate limit counters without any counter increment.
Detection Strategies
- Perform a static review of the application source for app.use() or fastify.use() calls passing an array or RegExp as the first argument inside a plugin registered with a prefix option.
- Run integration tests that send unauthenticated requests to every prefixed route and verify a 401 or 403 response.
- Enumerate installed versions of @fastify/express with npm ls @fastify/express and flag any version at or below 4.0.6.
Monitoring Recommendations
- Alert on anomalous access patterns to prefixed API routes where authentication middleware log entries are absent.
- Correlate route handler execution with expected middleware execution counts and alert on divergence.
- Monitor dependency manifests in CI pipelines for @fastify/express versions below 4.0.7.
How to Mitigate CVE-2026-6556
Immediate Actions Required
- Upgrade @fastify/express to version 4.0.7 or later across all Node.js services.
- Audit every prefixed plugin for use() calls that pass an array or regular expression as the mount path.
- Re-run authorization test suites against all prefixed routes and confirm middleware executes on each request.
Patch Information
The maintainers fixed the issue in @fastify/express version 4.0.7. Upgrade using npm install @fastify/express@^4.0.7 or the equivalent command for your package manager. See the OpenJS Foundation Security Advisories and the GitHub Security Advisory GHSA-3wf5-7852-vcfq for release details.
Workarounds
- Replace array mount paths with individual use() calls, registering one middleware invocation per string path.
- Replace regular expression mount paths with explicit string paths that match the routes you intend to protect.
- Keep all middleware registration inside prefixed plugins limited to string mount paths until upgrading is possible.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

