CVE-2026-6322: fast-uri Vulnerability Enables URI Authority Hijacking
The National Vulnerability Database has published details for CVE-2026-6322, a high-severity vulnerability (CVSS 7.5) affecting fast-uri versions up to 3.1.1. This flaw stems from how the normalize() function processes percent-encoded authority delimiters within the host component. Specifically, it decodes these delimiters and then re-emits them as raw separators during serialization.
This behavior allows an attacker to craft a URI that, when normalized, can redirect applications to an entirely different authority than the original input suggested. An example cited by the National Vulnerability Database involves a host combining an allowed domain with an encoded at-sign (%40) and a second, malicious domain. Post-normalization, the encoded at-sign becomes a raw userinfo separator, effectively hijacking the URI’s authority to the second domain.
For defenders, this means applications performing URL normalization before critical security checks—such as host allowlisting, redirect validation, or outbound request routing—are at risk. An attacker could exploit this to bypass security controls, directing internal requests or user traffic to malicious infrastructure. The National Vulnerability Database recommends updating to fast-uri version 3.1.2 or later to mitigate this risk.
What This Means For You
- If your applications rely on `fast-uri` for URL normalization, especially in contexts involving host allowlists or redirect validation, you are exposed. This vulnerability allows an attacker to bypass critical security checks, potentially redirecting users or internal systems to unauthorized domains. Prioritize patching `fast-uri` to version 3.1.2 immediately.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-6322: Suspicious URI Authority Hijacking Attempt
title: CVE-2026-6322: Suspicious URI Authority Hijacking Attempt
id: scw-2026-05-05-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-6322 by observing URIs that contain both a percent-encoded '@' symbol ('%40') and double slashes ('//'). This pattern is indicative of an attempt to craft a malicious URI where the percent-encoded '@' is decoded into a raw '@' by the vulnerable fast-uri library, thereby hijacking the URI's authority component to a different domain than intended. This rule targets the specific URI manipulation technique used in this vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-05
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-6322/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '%40'
cs-uri|contains:
- '//'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-6322 | Auth Bypass | fast-uri normalize() function |
| CVE-2026-6322 | Open Redirect | fast-uri library versions <= 3.1.1 |
| CVE-2026-6322 | Information Disclosure | URI authority manipulation via percent-encoded delimiters |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 05, 2026 at 14:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Betheme WordPress Arbitrary File Upload RCE (CVE-2026-6261)
CVE-2026-6261 — The Betheme theme for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 28.4. This is due to the...
CVE-2026-43571: OpenClaw Plugin Trust Bypass Opens Attack Vectors
CVE-2026-43571 — OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve workspace plugin shadows before bundled channel...
OpenClaw Authentication Bypass (CVE-2026-43569) Poses High Risk
CVE-2026-43569 — OpenClaw before 2026.4.9 contains an authentication bypass vulnerability allowing untrusted workspace plugins to be auto-enabled during non-interactive onboarding when provider auth choices are...