High severity8.6GHSA Advisory· Published May 8, 2026· Updated May 12, 2026
CVE-2026-41690
CVE-2026-41690
Description
18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hosting the middleware, via two unvalidated entry points that reach internal object-key writes: getResourcesHandler and missingKeyHandler. This can break authorisation checks (if (user.isAdmin) returning true for any user), cause type-confusion DoS, and depending on downstream code it can be chained into RCE.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
i18next-http-middlewarenpm | < 3.9.3 | 3.9.3 |
Affected products
2- Range: < 3.9.3
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.