CVE-2026-33806 | Fastify up to 5.8.4 Header Content-Type improper validation of specified type of input

VDB-357664 · CVE-2026-33806 · GCVE-0-2026-33806 FASTIFY UP TO 5.8.4 HEADER CONTENT-TYPE IMPROPER VALIDATION OF SPECIFIED TYPE OF INPUT HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 6.3 $0-$5k 3.17+ Summaryinfo A vulnerability was found in Fastify up to 5.8.4. It has been declared as problematic. Affected is an unknown function of the component Header Handler. Executing a manipulation of the argument Content-Type can lead to improper validation of specified type of input. The identification of this vulnerability is CVE-2026-33806. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component. Detailsinfo A vulnerability has been found in Fastify up to 5.8.4 and classified as problematic. This vulnerability affects some unknown processing of the component Header Handler. The manipulation of the argument Content-Type with an unknown input leads to a improper validation of specified type of input vulnerability. The CWE definition for the vulnerability is CWE-1287. The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type. As an impact it is known to affect integrity. CVE summarizes: Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442 Patches: Upgrade to fastify v5.8.5 or later. Workarounds: None. Upgrade to the patched version. The advisory is shared for download at github.com. This vulnerability was named CVE-2026-33806 since 03/23/2026. The exploitation appears to be easy. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. There are known technical details, but no exploit is available. Upgrading to version 5.8.5 eliminates this vulnerability. Productinfo Name Fastify Version 5.8.0 5.8.1 5.8.2 5.8.3 5.8.4 Website Product: https://github.com/fastify/fastify/ CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 6.4 VulDB Meta Temp Score: 6.3 VulDB Base Score: 5.3 VulDB Temp Score: 5.1 VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA Base Score: 7.5 CNA Vector (openjs): 🔒 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Improper validation of specified type of input CWE: CWE-1287 / CWE-20 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: Fastify 5.8.5 Timelineinfo 03/23/2026 CVE reserved 04/15/2026 +22 days Advisory disclosed 04/15/2026 +0 days VulDB entry created 04/15/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: github.com Status: Confirmed CVE: CVE-2026-33806 (🔒) GCVE (CVE): GCVE-0-2026-33806 GCVE (VulDB): GCVE-100-357664 Entryinfo Created: 04/15/2026 07:33 Changes: 04/15/2026 07:33 (63) Complete: 🔍 Cache ID: 99:EE1:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸