{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-14198/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-07-01T12:10:29.571Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-14198","@id":"https://www.cve.org/CVERecord?id=CVE-2026-14198","description":"@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path, so the middleware fails to match a URL that the route handler does match. When middleware is used for authentication, authorization, rate limiting, or auditing on parameterized paths, an attacker can reach the protected handler by"},"products":[{"@id":"cpe:2.3:a:\\@fastify\\/middie:\\@fastify\\/middie:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:\\@fastify\\/middie:\\@fastify\\/middie:*:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"Update to a fixed version: 9.3.3.","timestamp":"2026-07-01T12:10:29.571Z"}]}