CVE-2026-33806: Fastify has a Body Schema Validation Bypass via Leading Space in Content-Type Header
(updated )
A validation bypass vulnerability exists in Fastify v5.x where request body validation schemas specified via schema.body.content can be completely circumvented by prepending a single space character (\x20) to the Content-Type header. The body is still parsed correctly as JSON (or any other content type), but schema validation is entirely skipped.
This is a regression introduced by commit f3d2bcb (fix for CVE-2025-32442).
References
- cna.openjsf.org/security-advisories.html
- github.com/advisories/GHSA-247c-9743-5963
- github.com/fastify/fastify
- github.com/fastify/fastify/commit/f3d2bcb3963cd570a582e5d39aab01a9ae692fe4
- github.com/fastify/fastify/releases/tag/v5.8.5
- github.com/fastify/fastify/security/advisories/GHSA-247c-9743-5963
- github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc
- nvd.nist.gov/vuln/detail/CVE-2025-32442
- nvd.nist.gov/vuln/detail/CVE-2026-33806
Code Behaviors & Features
Detect and mitigate CVE-2026-33806 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →