CVE-2026-2880

CVE-2026-2880 is a vulnerability in @fastify/middie versions prior to 9.2.0, a middleware plugin for the Fastify web framework. It enables authentication and authorization bypass specifically when path-scoped middleware is used, such as app.use('/secret', auth). The issue arises when Fastify router normalization options are enabled—including ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behaviors—allowing crafted request paths to evade middleware checks while still matching and executing protected route handlers. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-20 (Improper Input Validation). It was published on 2026-02-27.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. By constructing HTTP requests with specially manipulated paths that leverage the normalization options, attackers bypass security middleware and reach handlers intended to be protected, achieving high-impact confidentiality and integrity violations such as unauthorized data access or modification without affecting availability.

The GitHub Security Advisory at https://github.com/fastify/middie/security/advisories/GHSA-8p85-9qpw-fwgw provides details on the vulnerability. Mitigation requires upgrading to @fastify/middie version 9.2.0 or later, which resolves the path bypass issue in conjunction with Fastify's router normalization features.