Main Vulnerability Database Vulnerabilities #VU125980

#VU125980 Improper Validation of Specified Type of Input in Fastify - CVE-2026-33806

Published: April 14, 2026

Vulnerability identifier: #VU125980

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-33806

CWE-ID: CWE-1287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Fastify

Software vendor:
fastify.io

Description

The vulnerability allows a remote attacker to bypass body schema validation.

The vulnerability exists due to improper validation of specified type of input in schema.body.content validation in lib/validation.js when processing requests with a Content-Type header prefixed by a leading space. A remote attacker can send a specially crafted request to bypass body schema validation.

The issue is caused by a parser-validator differential where the body is still parsed correctly after leading whitespace is trimmed, but validator lookup uses an empty media type and skips validation.

Remediation

Install security update from vendor's website.

External links

https://github.com/fastify/fastify/security/advisories/GHSA-247c-9743-5963

#VU125980 Improper Validation of Specified Type of Input in Fastify - CVE-2026-33806

Description

Remediation

External links

Please verify you're human