CVE-2026-47200— Nuxt 权限许可和访问控制问题漏洞

Nuxt: Route middleware not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`

Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.11.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, when experimental.componentIslands is enabled (default in Nuxt 4), any .server.vue file under pages/ is automatically registered as a server island under the key page_<routeName> and exposed via the /__nuxt_island/:name endpoint. Until this fix, requests through that endpoint rendered the page component directly via the SSR renderer without instantiating Vue Router, which meant route middleware declared on the page (including definePageMeta({ middleware })) did not run. This issue has been patched in versions 3.21.6 and 4.4.6.

N/A

访问控制不恰当

Nuxt 权限许可和访问控制问题漏洞

Nuxt是Nuxt团队开源的一个免费的开源框架。 Nuxt存在安全漏洞，该漏洞源于在启用experimental.componentIslands时，会注册服务器岛端点，未实例化Vue Router导致路由中间件未执行，可能导致安全策略绕过。以下版本受到影响：3.11.0版本至3.21.6之前版本、4.0.0-alpha.1版本至4.4.6之前版本、@nuxt/nitro-server 3.20.0版本至3.21.6之前版本和4.0.0-alpha.1版本至4.4.6之前版本。

N/A

N/A