CVE-2026-33769

Name of the Vulnerable Software and Affected Versions Astro versions 2.10.10 through 5.18.0

Description Astro’s remotePatterns path enforcement for remote URLs used by server-side fetchers, such as the image optimization endpoint, is affected by an issue. The path matching logic for /* wildcards is unanchored, allowing a pathname containing the allowed prefix later in the path to still match. This can allow an attacker to fetch paths outside the intended allowlisted prefix on an otherwise allowed host.

Recommendations Update to version 5.18.1 or later.