Description
Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.11.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, when experimental.componentIslands is enabled (default in Nuxt 4), any .server.vue file under pages/ is automatically registered as a server island under the key page_<routeName> and exposed via the /__nuxt_island/:name endpoint. Until this fix, requests through that endpoint rendered the page component directly via the SSR renderer without instantiating Vue Router, which meant route middleware declared on the page (including definePageMeta({ middleware })) did not run. This issue has been patched in versions 3.21.6 and 4.4.6.
Published: 2026-06-12
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hg3f-28rg-4jxj Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`
History

Mon, 15 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Nuxt nuxt\/nitro-server
CPEs cpe:2.3:a:nuxt:nuxt:*:*:*:*:*:*:*:*
cpe:2.3:a:nuxt:nuxt\/nitro-server:*:*:*:*:*:node.js:*:*
Vendors & Products Nuxt nuxt\/nitro-server
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}


Sat, 13 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Nuxt
Nuxt nuxt
Vendors & Products Nuxt
Nuxt nuxt

Fri, 12 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.11.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, when experimental.componentIslands is enabled (default in Nuxt 4), any .server.vue file under pages/ is automatically registered as a server island under the key page_<routeName> and exposed via the /__nuxt_island/:name endpoint. Until this fix, requests through that endpoint rendered the page component directly via the SSR renderer without instantiating Vue Router, which meant route middleware declared on the page (including definePageMeta({ middleware })) did not run. This issue has been patched in versions 3.21.6 and 4.4.6.
Title Nuxt: Route middleware not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`
Weaknesses CWE-284
CWE-288
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Nuxt Nuxt Nuxt\/nitro-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-13T02:56:45.199Z

Reserved: 2026-05-18T22:07:37.436Z

Link: CVE-2026-47200

cve-icon Vulnrichment

Updated: 2026-06-13T02:56:36.627Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-12T14:16:32.137

Modified: 2026-06-15T18:09:33.590

Link: CVE-2026-47200

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T15:30:31Z

Weaknesses