Sign In

CVE-2026-44574

ADVISORY - github

Summary

Impact

Applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters can alter the dynamic route value seen by the page while leaving the visible path unchanged, which can allow protected content to be rendered without passing the expected middleware check.

Fix

We now only honor internal route-parameter normalization in trusted routing flows and ignore externally supplied parameter encodings that should never have been accepted from ordinary requests.

Workarounds

If you cannot upgrade immediately, enforce authorization in route or page logic instead of relying solely on middleware path matching.

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-288

Authentication Bypass Using an Alternate Path or Channel

ADVISORY - github

CWE-288

Authentication Bypass Using an Alternate Path or Channel

Impacted images

Advisories
Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in