cvedb.io
CVE-2026-33806
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-04-15T04:17:36.650 · Last modified 2026-06-30T03:18:42.427

Summary

Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442 Patches: Upgrade to fastify v5.8.5 or later. Workarounds: None. Upgrade to the patched version.

Affected products

fastify — fastify

Does this affect you?

Add your gear to cvedb and we'll alert you only when fastify ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.