Bug 2466684 (CVE-2026-6322)

Summary: CVE-2026-6322 fast-uri: fast-uri: URI authority bypass due to improper delimiter handling
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abarbaro, abrianik, adudiak, alcohan, alizardo, anpicker, anthomas, ataylor, bbrownin, bdettelb, bparees, brasmith, cdrage, cmah, cochase, dbruscin, dhanak, doconnor, dranck, drosa, dschmidt, dsimansk, dymurray, eaguilar, ebaron, ehelms, erezende, fdeutsch, ggainey, ggrzybek, gparvin, hasun, ibolton, jbalunas, jchui, jfula, jhe, jkoehler, jlanda, jmatthew, jmontleo, jolong, jowilson, jraez, juwatts, jwong, kaycoth, kingland, kshier, ktsao, kvanderr, kverlaen, lphiri, manissin, mhulan, mnovotny, mstipich, nboldt, nmoumoul, nyancey, oaljalju, omaciel, ometelka, oramraz, osousa, pahickey, parichar, pcreech, pgaikwad, pjindal, psrna, ptisnovs, rchan, rekumar, rexwhite, rhaigner, rhel-process-autobot, rjohnson, rushinde, sausingh, sdawley, simaishi, slucidi, smallamp, smcdonal, smullick, sseago, stcannon, sthirugn, stirabos, syedriko, tasato, teagle, thason, tmalecek, ttakamiy, vvoronko, watson-tool-maintainers, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in fast-uri. A remote attacker could exploit this vulnerability by crafting a malicious Uniform Resource Identifier (URI) that contains percent-encoded authority delimiters. The fast-uri library incorrectly decodes these delimiters during normalization and then re-emits them as raw separators, which can change the URI's intended authority. This issue allows applications that perform host allowlist checks, redirect validation, or outbound request routing to be steered to a different authority than specified, potentially bypassing security controls.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2484651, 2484652, 2484653, 2484655, 2484658, 2484660, 2484661, 2484665, 2484667, 2484669, 2484670, 2484671, 2484654, 2484656, 2484657, 2484659, 2484662, 2484663, 2484664, 2484666, 2484668    
Bug Blocks:    

Description OSIDB Bzimport 2026-05-05 11:01:23 UTC 
fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later.