CVE-2026-62314
Anubis: Policy bypass via client controlled X-Original-URI header
CVSS Score
5.8
EPSS Score
0.0%
EPSS Percentile
0th
Anubis is a Web AI Firewall Utility that challenges users' connections in order to protect upstream resources from scraper bots. From 1.22.0 until 1.26.0-pre1, lib/policy/checker.go PathChecker.Check() trusted the client-controlled X-Original-URI header before matching r.URL.Path, allowing an HTTP client to match default data/common/keep-internet-working.yaml ALLOW rules such as ^/\.well-known/.*$ and bypass the Anubis challenge. This issue is fixed in version 1.26.0-pre1.
| CWE | CWE-284 |
| Vendor | techarohq |
| Product | anubis |
| Published | Jul 15, 2026 |
| Last Updated | Jul 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for techarohq anubis
Be the first to know when new medium vulnerabilities affecting techarohq anubis are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None
Affected Versions
TecharoHQ / anubis
>= 1.22.0, < 1.26.0-pre1
References
github.com: https://github.com/TecharoHQ/anubis/security/advisories/GHSA-6wcg-mqvh-fcvg github.com: https://github.com/TecharoHQ/anubis/pull/1630 github.com: https://github.com/TecharoHQ/anubis/commit/276b537776b281b1c4e01421435bc03ade3d8fc4 github.com: https://github.com/TecharoHQ/anubis/releases/tag/v1.26.0-pre1