CVE-2026-33806NVD

Vulnerability Summary

Impact:

Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped.

This is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442

Patches:

Upgrade to fastify v5.8.5 or later.

Workarounds:

None. Upgrade to the patched version.

Severity Level

HIGH(7.5)

Published Date

Apr 15, 2026

Last Modified

Apr 17, 2026

Exploitation Status

No confirmed exploitation yet

EPSS Score (30-Day)

0.10%Probability

Root Weakness (CWE)

CWE-1287: Unknown/Unlisted Weakness ↗

Refer to the official MITRE database for detailed architectural specifications regarding this weakness.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

ScopeUnchanged

ConfidentialityNone

IntegrityHigh

AvailabilityNone

External References

https://cna.openjsf.org/security-advisories.html
https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc