CVE-2026-62314 in Anubisinfo

Summary

by MITRE • 07/16/2026

Anubis is a Web AI Firewall Utility that challenges users' connections in order to protect upstream resources from scraper bots. From 1.22.0 until 1.26.0-pre1, lib/policy/checker.go PathChecker.Check() trusted the client-controlled X-Original-URI header before matching r.URL.Path, allowing an HTTP client to match default data/common/keep-internet-working.yaml ALLOW rules such as ^/\.well-known/.*$ and bypass the Anubis challenge. This issue is fixed in version 1.26.0-pre1.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/16/2026

The vulnerability exists within Anubis version 1.22.0 through 1.26.0-pre1 where the PathChecker.Check() function in lib/policy/checker.go exhibits a critical trust issue with client-controlled headers. This flaw allows malicious actors to manipulate the X-Original-URI header to bypass security controls by matching against predefined ALLOW rules in data/common/keep-internet-working.yaml. The implementation essentially prioritizes client-supplied URI information over the actual request path, creating an arbitrary rule bypass condition that undermines the core protection mechanism designed to challenge scraper bots.

The technical execution of this vulnerability relies on the HTTP client's ability to inject a malicious X-Original-URI header value that matches the regular expression pattern ^/\.well-known/.*$ defined in the allow rules. When the PathChecker processes the request, it evaluates the client-controlled header before performing the standard URL path matching, allowing attackers to appear as legitimate requests to well-known endpoints that are typically exempt from challenge requirements. This represents a classic case of insecure input handling where user-supplied data is trusted without proper validation or sanitization.

From an operational standpoint, this vulnerability compromises the fundamental security posture of Anubis by enabling bypass of the automated bot detection and challenge mechanisms. Attackers can now circumvent the firewall's protection by simply crafting requests with specific X-Original-URI values that match legitimate paths, thereby gaining unrestricted access to upstream resources without undergoing the required authentication or verification processes. The impact extends beyond simple access bypass to potentially enable more sophisticated attacks including data scraping, service abuse, and resource exhaustion.

The vulnerability aligns with CWE-20, "Improper Input Validation," and represents a path traversal or header manipulation issue where client-controlled data is improperly trusted in security-critical contexts. From an attack perspective, this flaw maps to techniques described in the MITRE ATT&CK framework under T1071.004 for Application Layer Protocol: DNS and T1566 for Phishing with Spoofed Credentials, as attackers can manipulate HTTP headers to bypass protections. The fix implemented in version 1.26.0-pre1 addresses this by ensuring that client-controlled headers are no longer trusted for security decision-making processes, requiring proper validation before any rule matching occurs.

Security recommendations include implementing strict header validation policies where client-supplied values are never directly used in access control decisions without additional verification steps. Organizations should also consider implementing comprehensive logging of header manipulation attempts and establish monitoring procedures to detect anomalous patterns that might indicate exploitation attempts. The remediation approach demonstrates the importance of principle of least privilege in security implementations, where trust boundaries are clearly defined and validated before any security-sensitive operations are performed.

Responsible

GitHub M

Reservation

07/13/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!