CVE-2026-6321: fast-uri Path Normalization Bypass
The National Vulnerability Database has issued an advisory for CVE-2026-6321, impacting fast-uri versions up to and including 3.1.0. This vulnerability stems from improper handling of percent-encoded path separators and dot segments within the normalize() and equal() functions. Essentially, the software decoded these characters before applying dot-segment removal, leading to a critical flaw.
This pre-normalization decoding means that URIs which appear distinct, or seem confined to an allowed prefix, can be normalized to an entirely different, unintended location. For applications that rely on fast-uri for path-based policy enforcement—such as access controls, routing, or content delivery—this creates a significant bypass risk. An attacker can craft a URL that looks benign but resolves to a restricted resource.
The National Vulnerability Database assigns this a CVSS score of 7.5 (High severity), emphasizing its potential for high impact on integrity with no confidentiality or availability impact. The core issue is a CWE-22 (Path Traversal) variant, where the logical flaw in normalization allows an attacker to manipulate paths. Organizations using fast-uri should update to version 3.1.1 or later immediately to mitigate this risk.
What This Means For You
- If your applications use `fast-uri` for URL normalization or comparison, especially for security policy enforcement (like access control or routing), you are exposed. Attackers can bypass these controls by crafting URLs with encoded path separators, potentially accessing unauthorized resources. Audit your dependencies for `fast-uri` versions and prioritize updating to 3.1.1 or newer. This isn't just a theoretical bug; it's a direct path to policy bypass.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-6321: fast-uri Path Normalization Bypass Attempt
title: CVE-2026-6321: fast-uri Path Normalization Bypass Attempt
id: scw-2026-05-04-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-6321 by using double-encoded path traversal sequences in the URI. The fast-uri library versions prior to 3.1.1 incorrectly normalize these encoded sequences, allowing an attacker to bypass path-based access controls by making a malicious URI appear to resolve to a legitimate location.
author: SCW Feed Engine (AI-generated)
date: 2026-05-04
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-6321/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/..%252f'
- '/..%2f'
- '%2e%2e%2f'
- '%2e%2e%252f'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-6321 | Path Traversal | fast-uri library versions <= 3.1.0 |
| CVE-2026-6321 | Auth Bypass | fast-uri normalize() and equal() functions |
| CVE-2026-6321 | Misconfiguration | Decoding percent-encoded path separators and dot segments before dot-segment removal in fast-uri |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 04, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7779 — Open5GS Denial of Service
CVE-2026-7779 — A security flaw has been discovered in Open5GS up to 2.7.7. Affected is the function udm_nudr_dr_handle_subscription_authentication of the file /src/udm/nudr-handler.c of the component...
CVE-2026-42223 — Nginx UI is a web user interface for the Nginx web server.
CVE-2026-42223 — Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, the GetSettings API handler (api/settings/settings.go:24-65) serializes all...
Nginx UI Vulnerability: Unauthenticated Bootstrap Takeover (CVE-2026-42222)
CVE-2026-42222 — Nginx UI is a web user interface for the Nginx web server. In version 2.3.5, an unauthenticated bootstrap takeover exists in nginx-ui during...