CVE-2026-47200

MEDIUM

Nuxt: Route middleware not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`

Title source: cna

Description

Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.11.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, when experimental.componentIslands is enabled (default in Nuxt 4), any .server.vue file under pages/ is automatically registered as a server island under the key page_<routeName> and exposed via the /__nuxt_island/:name endpoint. Until this fix, requests through that endpoint rendered the page component directly via the SSR renderer without instantiating Vue Router, which meant route middleware declared on the page (including definePageMeta({ middleware })) did not run. This issue has been patched in versions 3.21.6 and 4.4.6.

References (2)

Core 2

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/nuxt/nuxt/security/advisories/GHSA-hg3f-28rg-4jxj

X_Refsource_Misc x_refsource_misc

https://github.com/nuxt/nuxt/pull/35092

Scores

CVSS v3 5.3

EPSS 0.0046

EPSS Percentile 36.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-284 CWE-288

Status published

Products (8)

npm/nuxt 3.11.0 - 3.21.6npm

npm/nuxt 4.0.0-alpha.1 - 4.4.6npm

nuxt/nitro-server 3.20.0 - 3.21.6npm

nuxt/nitro-server 4.2.0 - 4.4.6npm

nuxt/nuxt 3.11.0 - 3.21.6

nuxt/nuxt >= 3.11.0, < 3.21.6

nuxt/nuxt >= 4.0.0-alpha.1, < 4.4.6

nuxt/nuxt\/nitro-server 3.20.0 - 3.21.6

Published Jun 12, 2026

Tracked Since Jun 12, 2026