VDB

CVE-2026-33806

CVE-2026-33806 PUBLISHED CVSS 7.5 HIGH

Reported by openjs · Published April 15, 2026

Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442 Patches: Upgrade to fastify v5.8.5 or later. Workarounds: None. Upgrade to the patched version.

EPSS 0.11% · 28.4th percentile

Risk Scores

CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score
0.11%
28.4th percentile

Affected Products

VendorProductVersions
fastifyfastify5.3.2, 5.8.5
fastifyfastify5.3.2, 5.8.5

Timeline

  • Apr 15, 2026 CVE Published
  • Apr 15, 2026 PoC Published
  • Apr 15, 2026 PoC Published
  • Apr 16, 2026 Security Advisory
  • Apr 16, 2026 Security Advisory
  • Apr 24, 2026 CVE Updated
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 22, 2026 EPSS Score
  • May 23, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›