Anubis
CVE-2026-62314
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Network exploitable via single HTTP header (AV:N/AC:L/PR:N/UI:N); scope changes because bypass exposes upstream systems beyond Anubis; confidentiality limited to indirect upstream access (C:L), no integrity or availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Anubis is a Web AI Firewall Utility that challenges users' connections in order to protect upstream resources from scraper bots. From 1.22.0 until 1.26.0-pre1, lib/policy/checker.go PathChecker.Check() trusted the client-controlled X-Original-URI header before matching r.URL.Path, allowing an HTTP client to match default data/common/keep-internet-working.yaml ALLOW rules such as ^/\.well-known/.*$ and bypass the Anubis challenge. This issue is fixed in version 1.26.0-pre1.
AnalysisAI
Challenge bypass in Anubis Web AI Firewall (versions 1.22.0 through pre-1.26.0-pre1) allows unauthenticated remote HTTP clients to circumvent bot-challenge enforcement by supplying a crafted X-Original-URI header. PathChecker.Check() in lib/policy/checker.go unconditionally trusted this client-controlled header over the actual request path, enabling any client to match default ALLOW rules (e.g., ^/\.well-known/.*$) and reach upstream resources without completing the Anubis challenge. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that Anubis is deployed as an HTTP intermediary (reverse proxy or subrequest auth endpoint) accessible to the attacker over the network, and that the target deployment uses the default data/common/keep-internet-working.yaml policy or any other policy containing ALLOW rules with path regex patterns the attacker can match via a crafted header value (e.g., ^/\.well-known/.*$, ^/robots\.txt$). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 5.8 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N accurately characterizes the real-world risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targeting a site protected by Anubis sends an HTTP GET request to any Anubis-guarded endpoint and includes the header X-Original-URI: /.well-known/acme-challenge/bypass. Anubis reads the client-supplied header, evaluates the path against the default ALLOW rules in keep-internet-working.yaml, matches the ^/\.well-known/.*$ pattern, and forwards the request to the upstream resource without issuing a bot challenge. … |
| Remediation | Upgrade Anubis to version 1.26.0-pre1 or later, available at https://github.com/TecharoHQ/anubis/releases/tag/v1.26.0-pre1. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today