{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-14198: @fastify/middie vulnerable to authorization bypass via encoded slash in path parameter values","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-14198","status":"final","version":"1","initial_release_date":"2026-07-01T11:29:20.435Z","current_release_date":"2026-07-01T12:10:29.571Z","revision_history":[{"date":"2026-07-01T11:29:20.435Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path, so the middleware fails to match a URL that the route handler does match. When middleware is used for authentication, authorization, rate limiting, or auditing on parameterized paths, an attacker can reach the protected handler by sending a single crafted URL with an encoded slash in the parameter position. The bypass is HTTP method agnostic and requires no authentication or special preconditions. Patches: upgrade to @fastify/middie 9.3.3. Workarounds: avoid parameterized middleware paths for security decisions, or enforce authentication at the route handler or via a Fastify hook that runs after the router has resolved the request.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-14198 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-14198"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-14198"},{"category":"external","summary":"github.com","url":"https://github.com/fastify/middie/security/advisories/GHSA-2v46-jxjm-7q3v"},{"category":"external","summary":"cna.openjsf.org","url":"https://cna.openjsf.org/security-advisories.html"}]},"product_tree":{"branches":[{"category":"vendor","name":"@fastify/middie","branches":[{"category":"product_name","name":"@fastify/middie","branches":[{"category":"product_version_range","name":">=9.1.0 <9.3.3","product":{"name":"@fastify/middie @fastify/middie >=9.1.0 <9.3.3","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:\\@fastify\\/middie:\\@fastify\\/middie:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"9.3.3","product":{"name":"@fastify/middie @fastify/middie 9.3.3","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:\\@fastify\\/middie:\\@fastify\\/middie:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-14198","title":"@fastify/middie vulnerable to authorization bypass via encoded slash in path parameter values","notes":[{"category":"description","text":"@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path, so the middleware fails to match a URL that the route handler does match. When middleware is used for authentication, authorization, rate limiting, or auditing on parameterized paths, an attacker can reach the protected handler by sending a single crafted URL with an encoded slash in the parameter position. The bypass is HTTP method agnostic and requires no authentication or special preconditions. Patches: upgrade to @fastify/middie 9.3.3. Workarounds: avoid parameterized middleware paths for security decisions, or enforce authentication at the route handler or via a Fastify hook that runs after the router has resolved the request.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"],"fixed":["CSAFPID-2"]},"scores":[{"cvss_v3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL"},"products":["CSAFPID-1"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 9.3.3.","product_ids":["CSAFPID-1"]}]}]}