Summary
Mitigating factors
- Only affects apps that use
routeRules.appMiddleware. The more
idiomaticdefinePageMeta({ middleware })is bound to the matched
route record and is unaffected. - Nuxt route middleware is documented as an app-layer concern, not a
server-side auth boundary; well-built apps enforce authorization
again at the API / data-fetching layer. - Apps that explicitly set
router.options.sensitive = trueare not
affected.
Workarounds
Until you can upgrade, you can mitigate by either:
- Setting
router.options.sensitive = trueso vue-router matches
case-sensitively (this changes route-matching behaviour app-wide). - Moving security-critical middleware off
routeRules.appMiddleware
and ontodefinePageMeta({ middleware: [...] })on the protected
page components, which is bound to the matched record. - Enforcing authorization at the API / data-fetching layer (which you
should be doing in any case).
Credit
Reported by Anthropic / Claude through Anthropic's coordinated
vulnerability disclosure process. Reference: ANT-2026-9FSEBYMC.
Impact
Nuxt looks up routeRules for the current navigation by callinggetRouteRules({ path: to.path }) from the page-router plugin and the
no-pages router plugin. The compiled routeRules matcher (built onrou3) performs case-sensitive matching, while vue-router is configured
with its default sensitive: false and matches paths case-insensitively.
The two routers therefore disagree on which rules apply to a given
request path: vue-router still matches the page record for/Admin/dashboard, but the routeRules lookup for the same path
returns no match. Any appMiddleware declared via routeRules is never
added to the middleware set and never runs, on both SSR and client
navigations. The same path skips other path-keyed route rules in the
same way (ssr, redirect, appLayout, and the prerender / payload
hints used client-side).
For applications using routeRules with appMiddleware as an
authorization gate (a documented pattern), an attacker can flip the case
of any static segment in a protected URL (for example /Admin/dashboard
instead of /admin/dashboard) to render the protected page with the
middleware skipped. The server returns the fully server-rendered page
including any useFetch / useAsyncData results captured during SSR.
This is an instance of CWE-178 (Improper Handling of Case Sensitivity)
leading to CWE-863 (Incorrect Authorization) for apps that treatappMiddleware as an authorization boundary.
The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions. Typical impact: unauthorized data access or execution of privileged operations.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Fixed in [email protected] (commit 07e39cd6) and backported to [email protected] (commit 3f3e3fa7). The fix normalizes the path used for routeRules lookups so it matches vue-router's default case-insensitive semantics.
Frequently Asked Questions
- What is CVE-2026-53721? CVE-2026-53721 is a high-severity incorrect authorization vulnerability in nuxt (npm), affecting versions >= 4.0.0, < 4.4.7. It is fixed in 4.4.7, 3.21.7. The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions.
- Which versions of nuxt are affected by CVE-2026-53721? nuxt (npm) versions >= 4.0.0, < 4.4.7 is affected.
- Is there a fix for CVE-2026-53721? Yes. CVE-2026-53721 is fixed in 4.4.7, 3.21.7. Upgrade to this version or later.
- Is CVE-2026-53721 exploitable, and should I be worried? Whether CVE-2026-53721 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-53721 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-53721?
- Upgrade
nuxtto 4.4.7 or later - Upgrade
nuxtto 3.21.7 or later
- Upgrade