How is CVE-2026-53721 exploited?

Network reachability (required): The attacker must be able to reach the Nuxt application over the network; the vulnerability is exposed on any internet- or intranet-facing deployment. Authentication (not-required): No account or session credential is needed; the crafted request can be sent by any unauthenticated client. Victim interaction (not-required): No user action is required; the attacker sends the request directly to the server without involving any human victim. Attack complexity (info): Exploitation is reliable and condition-free; the attacker only needs to adjust the casing of the route path, with no race conditions or environmental dependencies involved.

What is the impact of CVE-2026-53721?

The attacker bypasses route-rule middleware and reads response data that should be access-controlled, such as session tokens, user records, or API responses gated behind those rules. The attacker can make limited writes or state modifications to resources that route-rule middleware was intended to restrict, such as submitting forms or triggering actions on protected endpoints. Confidentiality impact is high; any data served by routes whose middleware protection is bypassed is fully readable by the attacker. Availability of the service itself is not affected by this vulnerability.

Back to search

HIGHCVE-2026-53721Published 2026-06-12Modified 2026-06-13CNA GitHub_M

CVE-2026-53721: Nuxt: Route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher

Nuxt is an open-source web development framework for Vue.js. From versions 3.11.0 to before 3.21.7 and 4.0.0 to before 4.4.7, there is a route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher. This issue has been patched in versions 3.21.7 and 4.4.7.

CVSS v4.0: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A middleware-bypass vulnerability affects the Nuxt web framework (versions 3.11.0 to before 3.21.7 and 4.0.0 to before 4.4.7). An attacker can reach it over the network with no authentication by crafting a URL whose casing does not match the routeRules matcher but is accepted by vue-router, causing route-rule middleware to be skipped entirely. Successful exploitation lets an attacker read protected data and make limited modifications to application state. Patched-image rebuilds at versions 3.21.7 and 4.4.7 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment; CVE-2026-53721 is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle an affected version of nuxt. Both registry scans and CI pipeline scans are covered.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.8 HIGH and weighting it against each environment's compliance policy to reflect organizational risk tolerance. Triage routing to the appropriate team inbox within each customer organization is available automatically once a match is confirmed.

Available

Patch

Because fix versions (3.21.7 and 4.4.7) exist, a patched-image rebuild at the corrected version becomes available in HarborGuard as soon as the fixed base image or package is resolvable from upstream. For customers who opt into auto-remediation, HarborGuard can execute the rebuild, run a regression test suite, and open a pull request against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the Nuxt application over the network; the vulnerability is exposed on any internet- or intranet-facing deployment.
AuthenticationNot required
No account or session credential is needed; the crafted request can be sent by any unauthenticated client.
Victim interactionNot required
No user action is required; the attacker sends the request directly to the server without involving any human victim.
Attack complexityDetail
Exploitation is reliable and condition-free; the attacker only needs to adjust the casing of the route path, with no race conditions or environmental dependencies involved.

Blast Radius

The attacker bypasses route-rule middleware and reads response data that should be access-controlled, such as session tokens, user records, or API responses gated behind those rules.
The attacker can make limited writes or state modifications to resources that route-rule middleware was intended to restrict, such as submitting forms or triggering actions on protected endpoints.
Confidentiality impact is high; any data served by routes whose middleware protection is bypassed is fully readable by the attacker.
Availability of the service itself is not affected by this vulnerability.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-53721 activates the moment the advisory is ingested, matching any image in a customer registry or pipeline that contains an affected nuxt version (3.11.0 to before 3.21.7 or 4.0.0 to before 4.4.7). Patched rebuilds targeting nuxt 3.21.7 or 4.4.7 become available as soon as the corrected package is resolvable upstream. For customers who opt into auto-remediation, HarborGuard can rebuild the image at the fix version, execute a regression run, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy or organizational process requires manual approval, the finding is routed to the designated team inbox with full CVSS context for sign-off before the rebuild is applied.

See how HarborGuard automates this

Affected packages

nuxt / nuxt
>= 3.11.0, < 3.21.7 · >= 4.0.0, < 4.4.7

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

References

Metrics

Get notified