Post

CVE-2026-62314 - Anubis Policy Bypass via Client Controlled X-Original-URI Header

CVE-2026-62314 - Anubis Policy Bypass via Client Controlled X-Original-URI Header

CVE-2026-62314 - Anubis: Policy Bypass via Client Controlled X-Original-URI Header

A new vulnerability, CVE-2026-62314, has been identified, impacting Anubis, a Web AI Firewall Utility that challenges users’ connections to protect upstream resources from scraper bots. From versions 1.22.0 until 1.26.0-pre1, the lib/policy/checker.go PathChecker.Check() function trusted the client-controlled X-Original-URI header before matching r.URL.Path. This flaw allowed an HTTP client to match default data/common/keep-internet-working.yaml ALLOW rules such as ^/\.well-known/.*$, effectively bypassing the Anubis challenge. This issue has been resolved in version 1.26.0-pre1. 🚀

Technical Details

The vulnerability history indicates that affected versions for TecharoHQ Anubis range from 1.22.0 to 1.26.0-pre1. The CVSS V3.1 vector assigned is AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N, and it is classified as CWE-284.

Additional References

For more information, you can check the following links:

To read the complete article, see: Read full article

This post is licensed under CC BY 4.0 by the author.