CVE-2026-22031

Name: CVE-2026-22031
Creator: NVD / NIST
Published: 2026-01-19T16:15:54.31+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.8/10EPSS 0.46%

Last modified Jun 17, 2026

CVE-2026-22031 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. @fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). EPSS estimates a 0.46% chance of exploitation in the next 30 days.

Description

@fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. Version 9.1.0 fixes the issue.

Metrics

CVSS 3.1

8.8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.46%

36.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-177

Affected Software

Vendor	Product	Versions
Fastify	Fastify\/Middie	< 9.1.0

References

https://github.com/fastify/middie/commit/d44cd56eb724490babf7b452fdbbdd37ea2effbaPatch
https://github.com/fastify/middie/pull/245Issue Tracking, Patch
https://github.com/fastify/middie/releases/tag/v9.1.0Product, Release Notes
https://github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69pExploit, Vendor Advisory

Timeline

Published: Jan 19, 2026
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2026-22031?

How severe is CVE-2026-22031?

CVE-2026-22031 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 0.46% probability of exploitation in the next 30 days.

How do I fix CVE-2026-22031?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-22031?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST