High severity8.6GHSA Advisory· Published May 8, 2026· Updated May 12, 2026

CVE-2026-41690

Description

18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hosting the middleware, via two unvalidated entry points that reach internal object-key writes: getResourcesHandler and missingKeyHandler. This can break authorisation checks (if (user.isAdmin) returning true for any user), cause type-confusion DoS, and depending on downstream code it can be chained into RCE.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
i18next-http-middlewarenpm	< 3.9.3	3.9.3

Affected products

I18next/I18next Http MiddlewareGHSA
Range: < 3.9.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-5fgg-jcpf-8jjwghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-41690ghsaADVISORY
github.com/i18next/i18next-http-middleware/security/advisories/GHSA-5fgg-jcpf-8jjwnvdWEB
www.i18next.com/how-to/faqghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.559
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000