Executive Summary
A critical authentication bypass vulnerability (CVE-2026-6270) has been discovered in @fastify/middie, the Express-style middleware compatibility layer for the Fastify Node.js web framework. The vulnerability affects all versions up to and including 9.3.1 and carries a CVSS score of 9.1.
The flaw causes authentication middleware registered in a parent plugin scope to silently fail to propagate to child plugin routes when those plugins are registered with route prefixes. This means that APIs intended to be protected by parent-level authentication can be accessed by unauthenticated requests without any error or log entry indicating the bypass.
Fastify applications using @fastify/middie with parent-scoped authentication middleware and child plugin route registration should upgrade to version 9.3.2 immediately.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-6270 |
| CVSS Score | 9.1 (Critical) |
| CWE | CWE-284 — Improper Access Control |
| Type | Authentication Bypass via Middleware Non-Inheritance |
| Attack Vector | Network |
| Privileges Required | None (unauthenticated) |
| User Interaction | None |
| Scope | Changed |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | Low |
| Patch Available | Yes — version 9.3.2+ |
Affected Versions
| Package | Affected Versions | Fixed Version |
|---|---|---|
| @fastify/middie | <= 9.3.1 | 9.3.2+ |
Technical Analysis
Root Cause
@fastify/middie provides Express-style middleware support for Fastify through a compatibility layer. When middleware is registered in a parent Fastify plugin scope, @fastify/middie is responsible for re-applying those middleware handlers to child plugin engine instances.
The vulnerability lies in incorrect prefix re-registration logic during child plugin middleware inheritance. When a child plugin is registered with a route prefix (e.g., /api), the middleware path is incorrectly modified, causing silent path matching failures at runtime. The middleware exists in the plugin tree but never intercepts requests to the child plugin's routes.
Because Fastify's encapsulation model does not surface this as an error, the failure is completely silent: the application starts without warnings, child routes respond normally, and no middleware rejection errors appear in logs.
Vulnerable Code Pattern
// VULNERABLE: appears secure but child routes are unprotected
const fastify = require('fastify')()
fastify.register(async function parentPlugin(fastify) {
// Register authentication middleware at parent scope
await fastify.register(require('@fastify/middie'))
fastify.use('/api', authMiddleware) // <= DOES NOT propagate to children
// Register child plugin with prefix
fastify.register(require('./routes/users'), { prefix: '/api/users' })
fastify.register(require('./routes/admin'), { prefix: '/api/admin' })
})In the above example, all routes under /api/users and /api/admin bypass authentication entirely when using @fastify/middie <= 9.3.1.
Correct Pattern After Patch
// SAFE: register middie in each child scope, or upgrade to 9.3.2
fastify.register(async function parentPlugin(fastify) {
await fastify.register(require('@fastify/middie'))
fastify.use('/api', authMiddleware) // now correctly inherited by children
fastify.register(require('./routes/users'), { prefix: '/api/users' })
fastify.register(require('./routes/admin'), { prefix: '/api/admin' })
})Why This Is Dangerous
The silent nature of this bypass makes it extremely dangerous in practice. Development and QA teams testing authentication manually are unlikely to detect the issue because it only manifests at the Fastify plugin engine level. Middleware-level logging may show the middleware was registered but never reveal it failed to execute.
Applications that assume middleware registered at a parent scope protects all descendant routes — a reasonable and documented assumption — are silently exposed.
Impact Assessment
| Impact Area | Description |
|---|---|
| Full Authentication Bypass | Any route in a child plugin is reachable without authentication |
| API Data Exposure | Protected API endpoints serve data to unauthenticated callers |
| Admin Route Access | Administrative and privileged endpoints fully accessible |
| Downstream Authorization Failure | RBAC/ABAC checks never reached if authentication is bypassed |
| Compliance Violations | PII and regulated data exposed via unauthenticated API access |
| Audit Log Gaps | No authenticated identity means breaches leave no user-attributed log trail |
Immediate Remediation
Step 1: Upgrade @fastify/middie
# Update to the fixed version
npm install @fastify/middie@^9.3.2
# Verify the installed version
npm list @fastify/middieStep 2: Audit Route Coverage
Identify all child plugins registered under parent scopes that use @fastify/middie:
// Audit helper: log all registered routes and verify auth coverage
fastify.addHook('onRoute', (routeOptions) => {
console.log(`Route: ${routeOptions.method} ${routeOptions.url}`)
})Run the application in development and compare all registered routes against expected authentication coverage.
Step 3: Apply Workaround for Immediate Risk Mitigation
If upgrading immediately is not possible, register authentication middleware inside each child plugin as a temporary workaround:
// Workaround: register auth middleware in each child plugin
fastify.register(async function usersPlugin(fastify) {
await fastify.register(require('@fastify/middie'))
fastify.use(authMiddleware) // explicit per-scope registration
// ... routes
}, { prefix: '/api/users' })Step 4: Review Access Logs for Anomalous Requests
# Look for requests to protected endpoints without auth tokens/sessions
# Adjust patterns to match your auth header scheme
grep -E "GET|POST|PUT|DELETE" /var/log/app/access.log | \
grep -v "Authorization:" | \
grep -E "/api/(users|admin|protected)"Detection Indicators
| Indicator | Description |
|---|---|
| Requests to protected API paths with no auth token | Direct exploitation in access logs |
| 200 responses to protected endpoints from unauthenticated clients | Successful bypass confirmation |
| Missing user identity in application audit logs | Actions taken without authentication |
| Unexpected data access or mutations in API logs | Post-bypass data exfiltration or modification |
Post-Remediation Checklist
- Upgrade @fastify/middie to version 9.3.2 or later
- Audit all parent-scope middleware registrations against child plugin routes
- Test authentication enforcement for every child plugin route after upgrade
- Review access logs for evidence of prior unauthenticated access to protected routes
- Verify that authentication middleware executes for all routes in staging before re-deploying
- Add integration tests that assert 401/403 responses for unauthenticated requests to protected endpoints
- Pin the @fastify/middie version in
package.jsonand enable Dependabot or Renovate alerts