PatchSiren cyber security CVE debrief
CVE-2026-2293 nest.js CVE debrief
CVE-2026-2293 is a high-severity vulnerability affecting NestJS applications that use @nestjs/platform-fastify. The issue allows for the bypass of authentication and authorization middleware when Fastify path-normalization options are enabled. This vulnerability impacts NestJS version 11.1.13. The CVSS score for this vulnerability is 8.2, indicating a high severity level. The vulnerability was published on February 27, 2026, and last modified on June 30, 2026.
- Vendor
- nest.js
- Product
- Unknown
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-27
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-02-27
- Advisory updated
- 2026-06-30
Who should care
Organizations using NestJS applications with @nestjs/platform-fastify should prioritize patching this vulnerability. The high CVSS score of 8.2 indicates that this vulnerability poses a significant risk to affected systems. Security teams and developers responsible for maintaining NestJS applications should take immediate action to mitigate this vulnerability.
Technical summary
The vulnerability CVE-2026-2293 affects NestJS applications using @nestjs/platform-fastify. When Fastify path-normalization options are enabled, an attacker can bypass authentication and authorization middleware. This issue is particularly concerning because it can allow unauthorized access to sensitive areas of the application. The vulnerability has been assigned a CVSS score of 8.2, indicating high severity. The CWE-863 (Incorrect Authorization) and CWE-551 (Information Exposure) weaknesses are associated with this vulnerability.
Defensive priority
High priority should be given to patching this vulnerability due to its high CVSS score and potential impact on application security. Immediate action is recommended to prevent potential exploitation.
Recommended defensive actions
- Apply the patch: Upgrade to NestJS version 11.1.14 or later to fix the vulnerability.
- Review and update Fastify path-normalization options to ensure they are not inadvertently enabling the bypass.
- Conduct a thorough review of application security configurations and middleware settings.
- Monitor for suspicious activity and implement additional logging and monitoring to detect potential exploitation attempts.
- Consider implementing compensating controls, such as additional authentication or authorization checks, until the patch can be applied.
Evidence notes
The CVE-2026-2293 vulnerability was published on February 27, 2026, and last modified on June 30, 2026. The vulnerability affects NestJS version 11.1.13 and has a CVSS score of 8.2. The CWE-863 and CWE-551 weaknesses are associated with this vulnerability. The vulnerability allows for the bypass of authentication and authorization middleware when Fastify path-normalization options are enabled.
Official resources
-
CVE-2026-2293 CVE record
CVE.org
-
CVE-2026-2293 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
-
Source reference
[email protected] - Product
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.