{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-2293","assignerOrgId":"84fe0718-d6bb-4716-a7e8-81a6d1daa869","state":"PUBLISHED","assignerShortName":"Fluid Attacks","dateReserved":"2026-02-10T15:48:58.721Z","datePublished":"2026-02-27T16:15:11.784Z","dateUpdated":"2026-02-27T17:07:59.779Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://registry.npmjs.org","defaultStatus":"unaffected","packageName":"nestjs","platforms":["Windows","MacOS","iOS"],"product":"nest.js","vendor":"nest.js","versions":[{"status":"affected","version":"11.1.13"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:nest.js:nest.js:11.1.13:*:windows:*:*:*:*:*","vulnerable":true},{"criteria":"cpe:2.3:a:nest.js:nest.js:11.1.13:*:macos:*:*:*:*:*","vulnerable":true},{"criteria":"cpe:2.3:a:nest.js:nest.js:11.1.13:*:ios:*:*:*:*:*","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"OR"}],"credits":[{"lang":"en","type":"finder","value":"Cristian Vargas"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled.<br><br></p><p>This issue affects nest.Js: 11.1.13.</p>"}],"value":"A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled.\n\n\n\nThis issue affects nest.Js: 11.1.13."}],"impacts":[{"capecId":"CAPEC-554","descriptions":[{"lang":"en","value":"CAPEC-554 Functionality Bypass"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"PRESENT","attackVector":"NETWORK","baseScore":8.2,"baseSeverity":"HIGH","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-863","description":"CWE-863 Incorrect Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"84fe0718-d6bb-4716-a7e8-81a6d1daa869","shortName":"Fluid Attacks","dateUpdated":"2026-02-27T16:15:11.784Z"},"references":[{"tags":["third-party-advisory"],"url":"https://fluidattacks.com/advisories/neton"},{"tags":["product"],"url":"https://github.com/nestjs/nest/"},{"tags":["patch"],"url":"https://github.com/nestjs/nest/releases/tag/v11.1.14"}],"source":{"discovery":"UNKNOWN"},"title":"NestJS 11.1.13 - Lack of data validation allowing authentication/authorization bypass","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-02-27T17:06:38.795771Z","id":"CVE-2026-2293","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-27T17:07:59.779Z"}}]}}