CVE-2026-33807 | fastify express up to 4.0.4 onRegister interpretation conflict

VDB-357696 · CVE-2026-33807 · GCVE-0-2026-33807 FASTIFY EXPRESS UP TO 4.0.4 ONREGISTER INTERPRETATION CONFLICT HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 8.0 $0-$5k 3.65+ Summaryinfo A vulnerability labeled as critical has been found in fastify express up to 4.0.4. This impacts the function onRegister. The manipulation results in interpretation conflict. This vulnerability is identified as CVE-2026-33807. The attack can be executed remotely. There is not any exploit available. The affected component should be upgraded. Detailsinfo A vulnerability classified as critical has been found in fastify express up to 4.0.4. Affected is the function onRegister. The manipulation with an unknown input leads to a interpretation conflict vulnerability. CWE is classifying the issue as CWE-436. Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes: @fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time, causing it to never match incoming requests. This results in complete bypass of Express middleware security controls, including authentication, authorization, and rate limiting, for all routes defined within affected child plugin scopes. No special configuration or request crafting is required. Upgrade to @fastify/express v4.0.5 or later. The advisory is shared for download at github.com. This vulnerability is traded as CVE-2026-33807 since 03/23/2026. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. There are known technical details, but no exploit is available. Upgrading to version 4.0.5 eliminates this vulnerability. Productinfo Vendor fastify Name express Version 4.0.0 4.0.1 4.0.2 4.0.3 4.0.4 CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 8.2 VulDB Meta Temp Score: 8.0 VulDB Base Score: 7.3 VulDB Temp Score: 7.0 VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA Base Score: 9.1 CNA Vector (openjs): 🔒 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Interpretation conflict CWE: CWE-436 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: express 4.0.5 Timelineinfo 03/23/2026 CVE reserved 04/15/2026 +22 days Advisory disclosed 04/15/2026 +0 days VulDB entry created 04/15/2026 +0 days VulDB entry last update Sourcesinfo Advisory: github.com Status: Confirmed CVE: CVE-2026-33807 (🔒) GCVE (CVE): GCVE-0-2026-33807 GCVE (VulDB): GCVE-100-357696 Entryinfo Created: 04/15/2026 12:13 Changes: 04/15/2026 12:13 (63) Complete: 🔍 Cache ID: 99:18B:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸