CVE-2026-41690 is a high-severity path traversal vulnerability in i18next-http-middleware (npm), affecting versions < 3.9.3. It is fixed in 3.9.3.
Summary Versions of i18next-http-middleware prior to 3.9.3 pass user-controlled lng and ns parameters to two internal paths that use them in ways that enable prototype pollution and, depending on the configured backend, path traversal or SSRF. The vulnerable entry points are unauthenticated HTTP handlers that are part of the middleware's public API: getResourcesHandler, reads lng/ns from query parameters or route params and passes them unvalidated to: utils.setPath(resources, [lng, ns], ...), the setPath helper did not guard against proto, constructor, or prototype keys, writing into Object.prototype when those values were supplied. i18next.services.backendConnector.load(languages, namespaces, ...), depending on the configured backend, unvalidated path segments enabled filesystem path traversal (e.g. with i18next-fs-backend) or SSRF (e.g. with i18next-http-backend). A namespaces.forEach(ns => i18next.options.ns.push(ns)) loop additionally performed permanent, unbounded growth of the shared singleton namespace list. missingKeyHandler, iterated the incoming request body with for...in, which traverses inherited prototype-chain properties. A POST body like {"proto": {"isAdmin": true}} was forwarded into saveMissing. Impact Prototype pollution, a single unauthenticated request of the form GET /locales/resources.json?lng=proto&ns=isAdmin writes into Object.prototype, affecting every plain object created subsequently in the Node.js process. This can break authorization checks (if (user.isAdmin)), cause denial of service via type confusion, or be chained into RCE depending on what downstream code reads from polluted objects. Path traversal / SSRF, with filesystem or HTTP backends that interpolate lng/ns into paths or URLs, attacker-controlled values like ns=../../etc/passwd or lng=internal-service could reach resources outside the intended scope. Denial of service, the unbounded i18next.options.ns growth, plus repeated backend load calls, enabled memory and CPU exhaustion from unique namespace payloads. Affected versions < 3.9.3. Patch Fixed in 3.9.3. The patch: Blocks proto, constructor, and prototype keys in utils.setPath. Replaces the for...in body iteration in missingKeyHandler with Object.keys() plus an explicit dangerous-keys guard. Introduces a utils.isSafeIdentifier helper (denylist approach, still permits any legitimate i18next language code shape) that filters lng/ns values for path-traversal, path separators, control characters, prototype keys, and over-long inputs before they reach the backend connector and before they are pushed into i18next.options.ns. Workarounds No workaround short of upgrading. Front-proxying the middleware with a WAF rule that rejects requests containing proto, constructor, prototype, .., or control characters in lng/ns query parameters or body keys is a partial mitigation. Credits Discovered via an internal security audit of the i18next ecosystem.
Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.
CVE-2026-41690 has a CVSS score of 8.6 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (3.9.3). Upgrading removes the vulnerable code path.
npm
i18next-http-middleware (< 3.9.3)i18next-http-middleware → 3.9.3 (npm)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-41690 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-41690 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-41690 in your environment →Upgrade i18next-http-middleware to 3.9.3 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-41690 is a high-severity path traversal vulnerability in i18next-http-middleware (npm), affecting versions < 3.9.3. It is fixed in 3.9.3. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
CVE-2026-41690 has a CVSS score of 8.6 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
i18next-http-middleware (npm) versions < 3.9.3 is affected.
Yes. CVE-2026-41690 is fixed in 3.9.3. Upgrade to this version or later.
Whether CVE-2026-41690 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade i18next-http-middleware to 3.9.3 or later.