๐Ÿ” CVE Alert

CVE-2026-62314

MEDIUM 5.8

Anubis: Policy bypass via client controlled X-Original-URI header

CVSS Score
5.8
EPSS Score
0.0%
EPSS Percentile
0th

Anubis is a Web AI Firewall Utility that challenges users' connections in order to protect upstream resources from scraper bots. From 1.22.0 until 1.26.0-pre1, lib/policy/checker.go PathChecker.Check() trusted the client-controlled X-Original-URI header before matching r.URL.Path, allowing an HTTP client to match default data/common/keep-internet-working.yaml ALLOW rules such as ^/\.well-known/.*$ and bypass the Anubis challenge. This issue is fixed in version 1.26.0-pre1.

CWE CWE-284
Vendor techarohq
Product anubis
Published Jul 15, 2026
Last Updated Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for techarohq anubis

Be the first to know when new medium vulnerabilities affecting techarohq anubis are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Affected Versions

TecharoHQ / anubis
>= 1.22.0, < 1.26.0-pre1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/TecharoHQ/anubis/security/advisories/GHSA-6wcg-mqvh-fcvg github.com: https://github.com/TecharoHQ/anubis/pull/1630 github.com: https://github.com/TecharoHQ/anubis/commit/276b537776b281b1c4e01421435bc03ade3d8fc4 github.com: https://github.com/TecharoHQ/anubis/releases/tag/v1.26.0-pre1