CVE-2026-6321

high Red Hat
CVSS v3 Base Score
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score
0.0%
Exploitation probability in 30 days
Top 85% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Confidentiality
None
Integrity
High
Availability
None
Published: May 4, 2026 (66 days ago)
Last Modified: May 4, 2026
Vendor: Red Hat
Fix Available: ✓ Yes
Source: REDHAT

Description

A flaw was found in fast-uri. A remote attacker could exploit this vulnerability by providing a specially crafted Uniform Resource Locator (URL) containing percent-encoded path separators and dot segments. Due to incorrect processing, fast-uri would decode these elements before proper normalization, leading to distinct URLs resolving to the same internal path. This could allow an attacker to bypass security policies that rely on path-based comparisons, potentially gaining unauthorized access to resources.

CWE

CWE-22

Affected Products

Confidential Compute AttestationCryostat 4Network Observability OperatorOpenShift PipelinesRed Hat Ansible Automation Platform 2Red Hat build of Apache Camel - HawtIO 4Red Hat Build of Podman DesktopRed Hat Build of Podman Desktop - Tech PreviewRed Hat Data Grid 8Red Hat Developer Hub

Fix Status

✅ Fix Available

References