{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-6556/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-30T13:30:34.905Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-6556","@id":"https://www.cve.org/CVERecord?id=CVE-2026-6556","description":"@fastify/express versions 4.0.6 and earlier only rewrite the plugin prefix for middleware mount paths when the path argument is a string. Non-string mount paths (arrays of paths and regular expressions) are left unprefixed inside prefixed plugin scopes, so middleware registered with those forms does not match the actual prefixed request path. Applications that use path-scoped middleware for authentication, authorization, rate limiting, or auditing on routes inside a prefixed scope can be bypasse"},"products":[{"@id":"cpe:2.3:a:\\@fastify\\/express:\\@fastify\\/express:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:\\@fastify\\/express:\\@fastify\\/express:*:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"Update to a fixed version: 4.0.7.","timestamp":"2026-06-30T13:30:34.905Z"}]}