Bug 2466684 (CVE-2026-6322) - CVE-2026-6322 fast-uri: fast-uri: URI authority bypass due to improper delimiter handling
Summary: CVE-2026-6322 fast-uri: fast-uri: URI authority bypass due to improper delimi...
Keywords:
Status: NEW
Alias: CVE-2026-6322
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2484651 2484652 2484653 2484655 2484658 2484660 2484661 2484663 2484664 2484665 2484666 2484667 2484669 2484670 2484671 2484654 2484656 2484657 2484659 2484662 2484668
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-05 11:01 UTC by OSIDB Bzimport
Modified: 2026-06-10 05:01 UTC (History)
101 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-05 11:01:23 UTC 
fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later.
Note You need to log in before you can comment on or make changes to this bug.