PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-2293 nest.js CVE debrief

CVE-2026-2293 is a high-severity vulnerability affecting NestJS applications that use @nestjs/platform-fastify. The issue allows for the bypass of authentication and authorization middleware when Fastify path-normalization options are enabled. This vulnerability impacts NestJS version 11.1.13. The CVSS score for this vulnerability is 8.2, indicating a high severity level. The vulnerability was published on February 27, 2026, and last modified on June 30, 2026.

Vendor
nest.js
Product
Unknown
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-27
Original CVE updated
2026-06-30
Advisory published
2026-02-27
Advisory updated
2026-06-30

Who should care

Organizations using NestJS applications with @nestjs/platform-fastify should prioritize patching this vulnerability. The high CVSS score of 8.2 indicates that this vulnerability poses a significant risk to affected systems. Security teams and developers responsible for maintaining NestJS applications should take immediate action to mitigate this vulnerability.

Technical summary

The vulnerability CVE-2026-2293 affects NestJS applications using @nestjs/platform-fastify. When Fastify path-normalization options are enabled, an attacker can bypass authentication and authorization middleware. This issue is particularly concerning because it can allow unauthorized access to sensitive areas of the application. The vulnerability has been assigned a CVSS score of 8.2, indicating high severity. The CWE-863 (Incorrect Authorization) and CWE-551 (Information Exposure) weaknesses are associated with this vulnerability.

Defensive priority

High priority should be given to patching this vulnerability due to its high CVSS score and potential impact on application security. Immediate action is recommended to prevent potential exploitation.

Recommended defensive actions

  • Apply the patch: Upgrade to NestJS version 11.1.14 or later to fix the vulnerability.
  • Review and update Fastify path-normalization options to ensure they are not inadvertently enabling the bypass.
  • Conduct a thorough review of application security configurations and middleware settings.
  • Monitor for suspicious activity and implement additional logging and monitoring to detect potential exploitation attempts.
  • Consider implementing compensating controls, such as additional authentication or authorization checks, until the patch can be applied.

Evidence notes

The CVE-2026-2293 vulnerability was published on February 27, 2026, and last modified on June 30, 2026. The vulnerability affects NestJS version 11.1.13 and has a CVSS score of 8.2. The CWE-863 and CWE-551 weaknesses are associated with this vulnerability. The vulnerability allows for the bypass of authentication and authorization middleware when Fastify path-normalization options are enabled.

Official resources

This article is AI-assisted and based on the supplied source corpus.