CVE-2026-33806 (GCVE-0-2026-33806)
Vulnerability from cvelistv5 – Published: 2026-04-15 00:14 – Updated: 2026-06-30 12:07
VLAI
EPSS
VEX
Title
fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header
Summary
Impact:
Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped.
This is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442
Patches:
Upgrade to fastify v5.8.5 or later.
Workarounds:
None. Upgrade to the patched version.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/fastify/fastify/security/advis… | |
| https://cna.openjsf.org/security-advisories.html | |
| https://access.redhat.com/security/cve/CVE-2026-33806 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2458596 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| fastify | fastify |
Affected:
5.3.2 , < 5.8.5
(semver)
Unaffected: 5.8.5 (semver) |
|
| Red Hat | Red Hat Enterprise Linux AI (RHEL AI) 3 |
cpe:/a:redhat:enterprise_linux_ai:3 |
|
| Red Hat | Red Hat OpenShift AI (RHOAI) |
cpe:/a:redhat:openshift_ai |
|
| Red Hat | Red Hat OpenShift Dev Spaces |
cpe:/a:redhat:openshift_devspaces:3 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33806",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T14:02:12.644507Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T16:13:42.961Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenShift Dev Spaces",
"vendor": "Red Hat"
}
],
"datePublic": "2026-04-15T00:14:02.376Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Fastify. A remote attacker could exploit this vulnerability by prepending a space to the Content-Type header in a request. This action bypasses the application\u0027s schema validation, allowing the attacker to submit data that would otherwise be rejected. This could lead to unexpected data processing and potential integrity issues within the application."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1289",
"description": "Improper Validation of Unsafe Equivalence in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:07:32.161Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-33806"
},
{
"name": "RHBZ#2458596",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458596"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33806.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-15T02:01:50.548Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-04-15T00:14:02.376Z",
"value": "Made public."
}
],
"title": "fastify: Fastify: Schema validation bypass via malformed Content-Type header",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/fastify",
"product": "fastify",
"vendor": "fastify",
"versions": [
{
"lessThan": "5.8.5",
"status": "affected",
"version": "5.3.2",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "5.8.5",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "mcollina"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "climba03003"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "jsumners"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "UlisesGascon"
},
{
"lang": "en",
"type": "reporter",
"value": "Vyntral"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Impact:\n\nFastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped.\n\nThis is a regression introduced in fastify \u003e= 5.3.2 by the fix for CVE-2025-32442\n\nPatches:\n\nUpgrade to fastify v5.8.5 or later.\n\nWorkarounds:\n\nNone. Upgrade to the patched version."
}
],
"value": "Impact:\n\nFastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped.\n\nThis is a regression introduced in fastify \u003e= 5.3.2 by the fix for CVE-2025-32442\n\nPatches:\n\nUpgrade to fastify v5.8.5 or later.\n\nWorkarounds:\n\nNone. Upgrade to the patched version."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1287",
"description": "CWE-1287: Improper Validation of Specified Type of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T00:14:02.376Z",
"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
"shortName": "openjs"
},
"references": [
{
"url": "https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc"
},
{
"url": "https://cna.openjsf.org/security-advisories.html"
}
],
"title": "fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header",
"x_generator": {
"engine": "cve-kit 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
"assignerShortName": "openjs",
"cveId": "CVE-2026-33806",
"datePublished": "2026-04-15T00:14:02.376Z",
"dateReserved": "2026-03-23T19:48:48.715Z",
"dateUpdated": "2026-06-30T12:07:32.161Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-33806",
"date": "2026-07-09",
"epss": "0.00408",
"percentile": "0.3281"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-33806\",\"sourceIdentifier\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"published\":\"2026-04-15T04:17:36.650\",\"lastModified\":\"2026-06-30T03:18:42.427\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Impact:\\n\\nFastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped.\\n\\nThis is a regression introduced in fastify \u003e= 5.3.2 by the fix for CVE-2025-32442\\n\\nPatches:\\n\\nUpgrade to fastify v5.8.5 or later.\\n\\nWorkarounds:\\n\\nNone. Upgrade to the patched version.\"}],\"affected\":[{\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"affectedData\":[{\"vendor\":\"fastify\",\"product\":\"fastify\",\"defaultStatus\":\"unaffected\",\"packageURL\":\"pkg:npm/fastify\",\"versions\":[{\"version\":\"5.3.2\",\"lessThan\":\"5.8.5\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"5.8.5\",\"versionType\":\"semver\",\"status\":\"unaffected\"}]}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"affectedData\":[{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AI (RHEL AI) 3\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:enterprise_linux_ai:3\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift AI (RHOAI)\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:openshift_ai\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Dev Spaces\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:openshift_devspaces:3\"]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-04-15T14:02:12.644507Z\",\"id\":\"CVE-2026-33806\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1287\"}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1289\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fastify:fastify:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"5.3.2\",\"versionEndExcluding\":\"5.8.5\",\"matchCriteriaId\":\"F05DA184-C206-4A06-A5BA-97FBB69A274F\"}]}]}],\"references\":[{\"url\":\"https://cna.openjsf.org/security-advisories.html\",\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc\",\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://access.redhat.com/security/cve/CVE-2026-33806\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2458596\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33806.json\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"}]}}",
"redhat_vex": {
"aggregate_severity": "Important",
"current_release_date": "2026-06-30T04:08:02+00:00",
"cve": "CVE-2026-33806",
"id": "CVE-2026-33806",
"initial_release_date": "2026-04-15T00:14:02.376000+00:00",
"product_status:known_not_affected": "9",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "fastify: Fastify: Schema validation bypass via malformed Content-Type header",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33806.json",
"version": "3"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33806\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-15T14:02:12.644507Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-15T14:02:18.744Z\"}}], \"cna\": {\"title\": \"fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header\", \"credits\": [{\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"mcollina\"}, {\"lang\": \"en\", \"type\": \"remediation reviewer\", \"value\": \"climba03003\"}, {\"lang\": \"en\", \"type\": \"remediation reviewer\", \"value\": \"jsumners\"}, {\"lang\": \"en\", \"type\": \"remediation reviewer\", \"value\": \"UlisesGascon\"}, {\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Vyntral\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"fastify\", \"product\": \"fastify\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.3.2\", \"lessThan\": \"5.8.5\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.8.5\", \"versionType\": \"semver\"}], \"packageURL\": \"pkg:npm/fastify\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc\"}, {\"url\": \"https://cna.openjsf.org/security-advisories.html\"}], \"x_generator\": {\"engine\": \"cve-kit 1.0.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Impact:\\n\\nFastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped.\\n\\nThis is a regression introduced in fastify \u003e= 5.3.2 by the fix for CVE-2025-32442\\n\\nPatches:\\n\\nUpgrade to fastify v5.8.5 or later.\\n\\nWorkarounds:\\n\\nNone. Upgrade to the patched version.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Impact:\\n\\nFastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped.\\n\\nThis is a regression introduced in fastify \u003e= 5.3.2 by the fix for CVE-2025-32442\\n\\nPatches:\\n\\nUpgrade to fastify v5.8.5 or later.\\n\\nWorkarounds:\\n\\nNone. Upgrade to the patched version.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1287\", \"description\": \"CWE-1287: Improper Validation of Specified Type of Input\"}]}], \"providerMetadata\": {\"orgId\": \"ce714d77-add3-4f53-aff5-83d477b104bb\", \"shortName\": \"openjs\", \"dateUpdated\": \"2026-04-15T00:14:02.376Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-33806\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-15T16:13:42.961Z\", \"dateReserved\": \"2026-03-23T19:48:48.715Z\", \"assignerOrgId\": \"ce714d77-add3-4f53-aff5-83d477b104bb\", \"datePublished\": \"2026-04-15T00:14:02.376Z\", \"assignerShortName\": \"openjs\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…