CVE-2026-30246

package main import ( "fmt" "github.com/gofiber/fiber/v3" "github.com/gofiber/fiber/v3/middleware/cache" ) func main() { app := fiber.New() // Enable cache middleware with default settings (Vulnerable) app.Use(cache.New()) app.Get("/profile", func(c fiber.Ctx) error { userID := c.Query("id", "guest") // Simulate sensitive data retrieval based on query param return c.SendString("Profile Data for User: " + userID) }) // Scenario simulation // 1. Attacker requests profile for 'admin', response is cached under key '/profile' // 2. Victim requests profile for 'user1', but receives cached 'admin' data fmt.Println("Server running on vulnerable configuration...") app.Listen(":3000") }

{"cve": {"id": "CVE-2026-30246", "sourceIdentifier": "[email protected]", "published": "2026-05-05T13:16:28.820", "lastModified": "2026-05-12T13:44:42.697", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query string. As a result, requests for the same path with different query parameters can share a cache key and receive the wrong cached response. This can cause response mix-up for query-dependent endpoints and may expose data intended for a different request. This issue is fixed after version 3.1.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-436"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gofiber:fiber:*:*:*:*:*:go:*:*", "versionEndIncluding": "3.1.0", "matchCriteriaId": "F4D5D7B6-2F8B-461E-B59A-BAD18731F429"}]}]}], "references": [{"url": "https://github.com/gofiber/fiber/blob/main/middleware/cache/cache_test.go#L599-L621", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/gofiber/fiber/blob/main/middleware/cache/config.go#L90-L92", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-35hp-hqmv-8qg8", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-35hp-hqmv-8qg8", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}