CVE-2026-33807: @fastify/express's middleware path doubling causes authentication bypass in child plugin scopes

April 16, 2026

@fastify/express v4.0.4 contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. This results in complete bypass of Express middleware security controls for all routes defined within child plugin scopes that share a prefix with parent-scoped middleware. No special configuration is required — this affects the default Fastify configuration.

References

cna.openjsf.org/security-advisories.html
github.com/advisories/GHSA-hrwm-hgmj-7p9c
github.com/fastify/fastify-express
github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c
nvd.nist.gov/vuln/detail/CVE-2026-33807

Code Behaviors & Features

Detect and mitigate CVE-2026-33807 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →