Skip to main content

Anubis

1 CVEs product

Monthly

CVE-2026-62314 MEDIUM This Month

Challenge bypass in Anubis Web AI Firewall (versions 1.22.0 through pre-1.26.0-pre1) allows unauthenticated remote HTTP clients to circumvent bot-challenge enforcement by supplying a crafted X-Original-URI header. PathChecker.Check() in lib/policy/checker.go unconditionally trusted this client-controlled header over the actual request path, enabling any client to match default ALLOW rules (e.g., ^/\.well-known/.*$) and reach upstream resources without completing the Anubis challenge. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis, but the bypass is trivially reproducible with a single HTTP header manipulation.

Authentication Bypass Anubis
NVD GitHub
CVSS 3.1
5.8
EPSS
0.3%
EPSS 0% CVSS 5.8
MEDIUM This Month

Challenge bypass in Anubis Web AI Firewall (versions 1.22.0 through pre-1.26.0-pre1) allows unauthenticated remote HTTP clients to circumvent bot-challenge enforcement by supplying a crafted X-Original-URI header. PathChecker.Check() in lib/policy/checker.go unconditionally trusted this client-controlled header over the actual request path, enabling any client to match default ALLOW rules (e.g., ^/\.well-known/.*$) and reach upstream resources without completing the Anubis challenge. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis, but the bypass is trivially reproducible with a single HTTP header manipulation.

Authentication Bypass Anubis
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy