{ "threat_severity" : "Important", "public_date" : "2026-05-04T19:31:57Z", "bugzilla" : { "description" : "fast-uri: fast-uri: Path traversal vulnerability allows bypass of security policies", "id" : "2466582", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2466582" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-22", "details" : [ "A flaw was found in fast-uri. A remote attacker could exploit this vulnerability by providing a specially crafted Uniform Resource Locator (URL) containing percent-encoded path separators and dot segments. Due to incorrect processing, fast-uri would decode these elements before proper normalization, leading to distinct URLs resolving to the same internal path. This could allow an attacker to bypass security policies that rely on path-based comparisons, potentially gaining unauthorized access to resources." ], "affected_release" : [ { "product_name" : "Red Hat Openshift Data Foundation 4.19", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19238", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.19::el9", "package" : "odf4/cephcsi-rhel9:1778576707" }, { "product_name" : "Red Hat Openshift Data Foundation 4.19", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19238", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.19::el9", "package" : "odf4/cephcsi-rhel9-operator:1778576350" }, { "product_name" : "Red Hat Openshift Data Foundation 4.19", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19238", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.19::el9", "package" : "odf4/mcg-core-rhel9:1778769574" }, { "product_name" : "Red Hat Openshift Data Foundation 4.19", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19238", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.19::el9", "package" : "odf4/mcg-rhel9-operator:1778576929" }, { "product_name" : "Red Hat Openshift Data Foundation 4.19", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19238", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.19::el9", "package" : "odf4/ocs-client-console-rhel9:1778770148" }, { "product_name" : "Red Hat Openshift Data Foundation 4.19", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19238", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.19::el9", "package" : "odf4/ocs-client-rhel9-operator:1778576957" }, { "product_name" : "Red Hat Openshift Data Foundation 4.19", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19238", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.19::el9", "package" : "odf4/ocs-metrics-exporter-rhel9:1779093256" }, { "product_name" : "Red Hat Openshift Data Foundation 4.19", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19238", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.19::el9", "package" : "odf4/ocs-rhel9-operator:1778577150" }, { "product_name" : "Red Hat Openshift Data Foundation 4.19", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19238", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.19::el9", "package" : "odf4/odf-cli-rhel9:1778577175" }, { "product_name" : "Red Hat Openshift Data Foundation 4.19", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19238", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.19::el9", "package" : "odf4/odf-cloudnative-pg-rhel9-operator:1778577083" }, { "product_name" : "Red Hat Openshift Data Foundation 4.19", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19238", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.19::el9", "package" : "odf4/odf-console-rhel9:1778770362" }, { "product_name" : "Red Hat Openshift Data Foundation 4.19", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19238", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.19::el9", "package" : "odf4/odf-cosi-sidecar-rhel9:1778577169" }, { "product_name" : "Red Hat Openshift Data Foundation 4.19", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19238", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.19::el9", "package" : "odf4/odf-csi-addons-rhel9-operator:1778577201" }, { "product_name" : "Red Hat Openshift Data Foundation 4.19", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19238", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.19::el9", "package" : "odf4/odf-csi-addons-sidecar-rhel9:1778577489" }, { "product_name" : "Red Hat Openshift Data Foundation 4.19", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19238", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.19::el9", "package" : "odf4/odf-multicluster-console-rhel9:1778770439" }, { "product_name" : "Red Hat Openshift Data Foundation 4.19", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19238", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.19::el9", "package" : "odf4/odf-multicluster-rhel9-operator:1778577548" }, { "product_name" : "Red Hat Openshift Data Foundation 4.19", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19238", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.19::el9", "package" : "odf4/odf-must-gather-rhel9:1778770127" }, { "product_name" : "Red Hat Openshift Data Foundation 4.19", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19238", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.19::el9", "package" : "odf4/odf-rhel9-operator:1778577523" }, { "product_name" : "Red Hat Openshift Data Foundation 4.19", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19238", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.19::el9", "package" : "odf4/odr-rhel9-operator:1778577519" }, { "product_name" : "Red Hat Openshift Data Foundation 4.19", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19238", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.19::el9", "package" : "odf4/rook-ceph-rhel9-operator:1778577696" } ], "package_state" : [ { "product_name" : "Confidential Compute Attestation", "fix_state" : "Affected", "package_name" : "openshift-sandboxed-containers/osc-pccs", "cpe" : "cpe:/a:redhat:confidential_compute_attestation:1" }, { "product_name" : "Cryostat 4", "fix_state" : "Not affected", "package_name" : "cryostat-openshift-console-plugin-npm", "cpe" : "cpe:/a:redhat:cryostat:4" }, { "product_name" : "Network Observability Operator", "fix_state" : "Affected", "package_name" : "network-observability/network-observability-console-plugin-rhel9", "cpe" : "cpe:/a:redhat:network_observ_optr:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-console-plugin-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-console-plugin-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Will not fix", "package_name" : "ansible-automation-platform-24/lightspeed-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Affected", "package_name" : "ansible-automation-platform-25/lightspeed-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Affected", "package_name" : "ansible-automation-platform-26/gateway-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Affected", "package_name" : "ansible-automation-platform-26/lightspeed-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Affected", "package_name" : "ansible-automation-platform/automation-dashboard-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Affected", "package_name" : "ansible-automation-platform-tech-preview/mcp-server-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Affected", "package_name" : "automation-gateway", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Affected", "package_name" : "automation-platform-ui", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat build of Apache Camel - HawtIO 4", "fix_state" : "Affected", "package_name" : "io.hawt-project", "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4" }, { "product_name" : "Red Hat Build of Podman Desktop", "fix_state" : "Affected", "package_name" : "podman-desktop-macos-1-0", "cpe" : "cpe:/a:redhat:podman_desktop:1" }, { "product_name" : "Red Hat Build of Podman Desktop", "fix_state" : "Affected", "package_name" : "podman-desktop-windows-1-0", "cpe" : "cpe:/a:redhat:podman_desktop:1" }, { "product_name" : "Red Hat Build of Podman Desktop - Tech Preview", "fix_state" : "Affected", "package_name" : "rhdesktop/rh-podman-desktop-ext-bootc-rhel10", "cpe" : "cpe:/a:redhat:podman_desktop:0" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Affected", "package_name" : "org.infinispan-infinispan-console", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Developer Hub", "fix_state" : "Will not fix", "package_name" : "rhdh/backstage-community-plugin-catalog-backend-module-scaffolder-relation-processor", "cpe" : "cpe:/a:redhat:rhdh:1" }, { "product_name" : "Red Hat Developer Hub", "fix_state" : "Affected", "package_name" : "rhdh/rhdh-hub-rhel9", "cpe" : "cpe:/a:redhat:rhdh:1" }, { "product_name" : "Red Hat Discovery 2", "fix_state" : "Affected", "package_name" : "discovery/discovery-ui-rhel9", "cpe" : "cpe:/a:redhat:discovery:2::el9" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Affected", "package_name" : "linux-sgx", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "linux-sgx", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-dashboard-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-dashboard-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-mlflow-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-mod-arch-gen-ai-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-mod-arch-maas-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-mod-arch-model-registry-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-pipeline-runtime-datascience-cpu-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-pipeline-runtime-minimal-cpu-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-pipeline-runtime-pytorch-cuda-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-pipeline-runtime-pytorch-rocm-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-jupyter-minimal-cpu-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-jupyter-minimal-cuda-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-jupyter-minimal-rocm-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-jupyter-pytorch-cuda-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-jupyter-pytorch-rocm-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-jupyter-tensorflow-rocm-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-jupyter-trustyai-cpu-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/ose-monitoring-plugin-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Affected", "package_name" : "devspaces/dashboard-rhel9", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Affected", "package_name" : "nodejs-compression-webpack-plugin", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Affected", "package_name" : "nodejs-mini-css-extract-plugin", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Affected", "package_name" : "nodejs-webpack", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Affected", "package_name" : "satellite/iop-advisor-frontend-rhel9", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "streams for Apache Kafka 2", "fix_state" : "Not affected", "package_name" : "com.github.streamshub-console", "cpe" : "cpe:/a:redhat:amq_streams:2" }, { "product_name" : "streams for Apache Kafka 3", "fix_state" : "Not affected", "package_name" : "com.github.streamshub-console", "cpe" : "cpe:/a:redhat:amq_streams:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-6321\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-6321\nhttps://cna.openjsf.org/security-advisories.html\nhttps://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6" ], "name" : "CVE-2026-6321", "csaw" : false }