High severity7.5NVD Advisory· Published Apr 15, 2026· Updated Apr 17, 2026
CVE-2026-33806
CVE-2026-33806
Description
Impact:
Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped.
This is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442
Patches:
Upgrade to fastify v5.8.5 or later.
Workarounds:
None. Upgrade to the patched version.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fastifynpm | >= 5.3.2, < 5.8.5 | 5.8.5 |
Affected products
2Patches
Vulnerability mechanics
References
8- cna.openjsf.org/security-advisories.htmlnvdVendor AdvisoryWEB
- github.com/advisories/GHSA-247c-9743-5963ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-32442ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33806ghsaADVISORY
- github.com/fastify/fastify/commit/f3d2bcb3963cd570a582e5d39aab01a9ae692fe4ghsaWEB
- github.com/fastify/fastify/releases/tag/v5.8.5ghsaWEB
- github.com/fastify/fastify/security/advisories/GHSA-247c-9743-5963ghsaWEB
- github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwcnvdNot ApplicableWEB
News mentions
0No linked articles in our index yet.