Main Vulnerability Database SB20260414108

SB20260414108 - Improper input validation in Fastify

Published: April 14, 2026

Security Bulletin ID SB20260414108

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper Validation of Specified Type of Input (CVE-ID: CVE-2026-33806)

The vulnerability allows a remote attacker to bypass body schema validation.

The vulnerability exists due to improper validation of specified type of input in schema.body.content validation in lib/validation.js when processing requests with a Content-Type header prefixed by a leading space. A remote attacker can send a specially crafted request to bypass body schema validation.

The issue is caused by a parser-validator differential where the body is still parsed correctly after leading whitespace is trimmed, but validator lookup uses an empty media type and skips validation.

Remediation

Install update from vendor's website.

References

https://github.com/fastify/fastify/security/advisories/GHSA-247c-9743-5963