Cyber Resilience

CVE-2026-6322

HighUpdated

Published: 05 May 2026

Published
05 May 2026
Modified
12 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0001 1.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6322 is a high-severity Interpretation Conflict (CWE-436) vulnerability in Openjsf Fast-Uri. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-6322 is a vulnerability in the fast-uri JavaScript library's normalize() function, which incorrectly decodes percent-encoded authority delimiters within the host component and re-emits them as raw delimiters during serialization. This affects versions of fast-uri up to and including 3.1.1. Specifically, a maliciously crafted host combining an allowed domain, an encoded at-sign (@), and a different domain results in the normalized URI re-emitting the at-sign as a raw userinfo separator, effectively altering the URI's authority to the second domain. The issue is classified under CWE-436 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

Attackers can exploit this vulnerability remotely without authentication by supplying untrusted URLs to applications that invoke fast-uri's normalize() prior to performing host allowlist checks, redirect validation, or outbound request routing. Successful exploitation steers the application to a different authority than intended, potentially enabling open redirects, SSRF, or unintended network requests to attacker-controlled hosts.

Advisories from the OpenJS Foundation CNA and the fast-uri GitHub security advisory (GHSA-v39h-62p7-jpjc) recommend updating to fast-uri version 3.1.2 or later, where the normalization logic has been corrected to prevent decoding and re-emission of these delimiters in the host component.

EU & UK References

Vulnerability details

fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a…

more

raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
Why these techniques?

CVE enables remote exploitation of public-facing apps (via malicious URL input to normalize() before allowlist/redirect/routing checks) for SSRF, open redirects and outbound connections to attacker hosts, directly mapping to T1190 for initial access and T1105 for resulting ingress of attacker-controlled content.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-6321Same product: Openjsf Fast-Uri
CVE-2026-25244Same vendor: Openjsf
CVE-2026-33807Shared CWE-436
CVE-2026-33808Shared CWE-436
CVE-2026-42551Shared CWE-436
CVE-2026-6270Shared CWE-436
CVE-2026-33804Shared CWE-436
CVE-2026-25223Shared CWE-436
CVE-2026-27444Shared CWE-436
CVE-2026-41248Shared CWE-436

Affected Assets

openjsf
fast-uri
≤ 3.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the CVE by requiring timely flaw remediation through updating the vulnerable fast-uri library to version 3.1.2 or later.

prevent

Mitigates exploitation by validating untrusted URL inputs for percent-encoded authority delimiters before normalization and host allowlist checks.

prevent

Boundary protection prevents SSRF and unintended outbound requests to attacker-controlled hosts by enforcing host-based access controls at application and network layers.

References