CVE-2026-6270

Name of the Vulnerable Software and Affected Versions @fastify/middie versions prior to 9.3.2

Description Inherited middleware is not registered directly on child plugin engine instances. When authentication middleware is registered in a parent scope and child plugins are registered with @fastify/middie, the child scope fails to inherit the parent middleware. This occurs because middleware paths are incorrectly re-prefixed when propagated to child plugin scopes; if a child plugin is registered with a prefix overlapping a parent-scoped middleware path, the path is modified and fails to match incoming requests. Consequently, security controls such as authentication, authorization, and rate limiting are skipped for all routes defined within affected child and nested grandchild plugin scopes, allowing unauthenticated requests to reach those routes.

Recommendations Upgrade to @fastify/middie version 9.3.2.