{"api_version":"1","generated_at":"2026-07-01T01:55:55+00:00","cve":"CVE-2026-13676","urls":{"html":"https://cve.report/CVE-2026-13676","api":"https://cve.report/api/cve/CVE-2026-13676.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-13676","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-13676"},"summary":{"title":"fast-uri vulnerable to host confusion via failed IDN canonicalization","description":"fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize() and equal() still return values that differ from a WHATWG-compatible URL parser. Applications that use fast-uri to enforce host-based policy (denylists, loopback filtering, redirect validation, outbound proxy routing) before passing the same URL to Node's URL or fetch can be bypassed when the two implementations resolve the same input to different hosts. Patches: upgrade to fast-uri 3.1.3 for the 3.x line or 4.0.1 for the 4.x line. Workarounds: enforce host policy using the same URL parser used for the actual request, or reject non-ASCII hosts before policy checks.","state":"PUBLISHED","assigner":"openjs","published_at":"2026-06-29 14:16:47","updated_at":"2026-06-30 03:17:14"},"problem_types":["CWE-436","CWE-551","CWE-436 CWE-436: Interpretation Conflict","CWE-551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"],"metrics":[{"version":"3.1","source":"ADP","type":"CVSS","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","version":"3.1"}},{"version":"3.1","source":"ce714d77-add3-4f53-aff5-83d477b104bb","type":"Secondary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"3.1","source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","data":{"baseScore":7.5,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","version":"3.1"}}],"references":[{"url":"https://cna.openjsf.org/security-advisories.html","name":"https://cna.openjsf.org/security-advisories.html","refsource":"ce714d77-add3-4f53-aff5-83d477b104bb","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/security/cve/CVE-2026-13676","name":"https://access.redhat.com/security/cve/CVE-2026-13676","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2494197","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2494197","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-13676.json","name":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-13676.json","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/fastify/fast-uri/security/advisories/GHSA-4c8g-83qw-93j6","name":"https://github.com/fastify/fast-uri/security/advisories/GHSA-4c8g-83qw-93j6","refsource":"ce714d77-add3-4f53-aff5-83d477b104bb","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-13676","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-13676","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"fast-uri","product":"fast-uri","version":"affected 4.0.0 4.0.1 semver","platforms":[]},{"source":"CNA","vendor":"fast-uri","product":"fast-uri","version":"unaffected 4.0.1 semver","platforms":[]},{"source":"CNA","vendor":"fast-uri","product":"fast-uri","version":"affected 2.3.1 3.1.3 semver","platforms":[]},{"source":"CNA","vendor":"fast-uri","product":"fast-uri","version":"unaffected 3.1.3 semver","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Confidential Compute Attestation","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Cryostat 4","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Migration Toolkit for Applications 8","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Migration Toolkit for Containers","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Multicluster Engine for Kubernetes","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Network Observability Operator","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"OpenShift Lightspeed","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"OpenShift Pipelines","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"OpenShift Serverless","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Advanced Cluster Management for Kubernetes 2","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat AMQ Broker 7","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Ansible Automation Platform 2","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat build of Apache Camel - HawtIO 4","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat build of Apicurio Registry 3","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Build of Podman Desktop","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Connectivity Link 1","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Data Grid 8","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Developer Hub","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Discovery 2","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Edge Manager 1","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux 10","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux 9","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat OpenShift AI (RHOAI)","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Openshift Data Foundation 4","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat OpenShift Dev Spaces","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat OpenShift Virtualization 4","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Quay 3","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Satellite 6","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Self-service automation portal 2","version":"","platforms":[]}],"timeline":[{"source":"ADP","time":"2026-06-29T14:01:55.592Z","lang":"en","value":"Reported to Red Hat."},{"source":"ADP","time":"2026-06-29T13:22:44.674Z","lang":"en","value":"Made public."}],"solutions":[],"workarounds":[{"source":"ADP","title":"","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.","time":"","lang":"en"}],"exploits":[],"credits":[{"source":"CNA","value":"celinke97","lang":"en"},{"source":"CNA","value":"UlisesGascon","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"13676","cve":"CVE-2026-13676","epss":"0.002780000","percentile":"0.195360000","score_date":"2026-06-30","updated_at":"2026-07-01 00:05:16"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-13676","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-29T13:53:20.906495Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-29T13:53:31.092Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"affected":[{"cpes":["cpe:/a:redhat:confidential_compute_attestation:1"],"defaultStatus":"affected","product":"Confidential Compute Attestation","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:cryostat:4"],"defaultStatus":"affected","product":"Cryostat 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:migration_toolkit_applications:8"],"defaultStatus":"affected","product":"Migration Toolkit for Applications 8","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhmt:1"],"defaultStatus":"affected","product":"Migration Toolkit for Containers","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:multicluster_engine"],"defaultStatus":"affected","product":"Multicluster Engine for Kubernetes","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:network_observ_optr:1"],"defaultStatus":"affected","product":"Network Observability Operator","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_lightspeed"],"defaultStatus":"affected","product":"OpenShift Lightspeed","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_pipelines:1"],"defaultStatus":"affected","product":"OpenShift Pipelines","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:serverless:1"],"defaultStatus":"affected","product":"OpenShift Serverless","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:acm:2"],"defaultStatus":"affected","product":"Red Hat Advanced Cluster Management for Kubernetes 2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:amq_broker:7"],"defaultStatus":"affected","product":"Red Hat AMQ Broker 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ansible_automation_platform:2"],"defaultStatus":"affected","product":"Red Hat Ansible Automation Platform 2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:apache_camel_hawtio:4"],"defaultStatus":"affected","product":"Red Hat build of Apache Camel - HawtIO 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:apicurio_registry:3"],"defaultStatus":"affected","product":"Red Hat build of Apicurio Registry 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:podman_desktop:1"],"defaultStatus":"affected","product":"Red Hat Build of Podman Desktop","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:connectivity_link:1"],"defaultStatus":"affected","product":"Red Hat Connectivity Link 1","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_data_grid:8"],"defaultStatus":"affected","product":"Red Hat Data Grid 8","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhdh:1"],"defaultStatus":"affected","product":"Red Hat Developer Hub","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:discovery:2::el9"],"defaultStatus":"affected","product":"Red Hat Discovery 2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:edge_manager:1"],"defaultStatus":"affected","product":"Red Hat Edge Manager 1","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:10"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 10","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:9"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 9","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux_ai:3"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift:4"],"defaultStatus":"affected","product":"Red Hat OpenShift Container Platform 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_data_foundation:4"],"defaultStatus":"affected","product":"Red Hat Openshift Data Foundation 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_devspaces:3"],"defaultStatus":"affected","product":"Red Hat OpenShift Dev Spaces","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:container_native_virtualization:4"],"defaultStatus":"affected","product":"Red Hat OpenShift Virtualization 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:quay:3"],"defaultStatus":"affected","product":"Red Hat Quay 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:satellite:6"],"defaultStatus":"affected","product":"Red Hat Satellite 6","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ansible_portal:2"],"defaultStatus":"affected","product":"Self-service automation portal 2","vendor":"Red Hat"}],"datePublic":"2026-06-29T13:22:44.674Z","descriptions":[{"lang":"en","value":"A flaw was found in fast-uri. This vulnerability occurs because fast-uri fails to properly convert Unicode (Internationalized Domain Name - IDN) hostnames for HTTP-family URLs. This can lead to a situation where security policies, such as denylists or redirect validations, are bypassed when applications use fast-uri to enforce these policies before passing the URL to another parser. A remote attacker could exploit this to circumvent security controls and potentially access unauthorized resources or perform malicious redirects."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-551","description":"Incorrect Behavior Order: Authorization Before Parsing and Canonicalization","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-30T02:41:29.165Z","orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP"},"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-13676"},{"name":"RHBZ#2494197","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2494197"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-13676.json"}],"timeline":[{"lang":"en","time":"2026-06-29T14:01:55.592Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-06-29T13:22:44.674Z","value":"Made public."}],"title":"fast-uri: fast-uri: Security policy bypass due to improper Unicode hostname canonicalization","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"}}],"cna":{"affected":[{"defaultStatus":"unaffected","packageURL":"pkg:npm/fast-uri","product":"fast-uri","vendor":"fast-uri","versions":[{"lessThan":"4.0.1","status":"affected","version":"4.0.0","versionType":"semver"},{"status":"unaffected","version":"4.0.1","versionType":"semver"},{"lessThan":"3.1.3","status":"affected","version":"2.3.1","versionType":"semver"},{"status":"unaffected","version":"3.1.3","versionType":"semver"}]}],"credits":[{"lang":"en","type":"reporter","value":"celinke97"},{"lang":"en","type":"remediation developer","value":"UlisesGascon"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize() and equal() still return values that differ from a WHATWG-compatible URL parser. Applications that use fast-uri to enforce host-based policy (denylists, loopback filtering, redirect validation, outbound proxy routing) before passing the same URL to Node's URL or fetch can be bypassed when the two implementations resolve the same input to different hosts. Patches: upgrade to fast-uri 3.1.3 for the 3.x line or 4.0.1 for the 4.x line. Workarounds: enforce host policy using the same URL parser used for the actual request, or reject non-ASCII hosts before policy checks."}],"value":"fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize() and equal() still return values that differ from a WHATWG-compatible URL parser. Applications that use fast-uri to enforce host-based policy (denylists, loopback filtering, redirect validation, outbound proxy routing) before passing the same URL to Node's URL or fetch can be bypassed when the two implementations resolve the same input to different hosts. Patches: upgrade to fast-uri 3.1.3 for the 3.x line or 4.0.1 for the 4.x line. Workarounds: enforce host policy using the same URL parser used for the actual request, or reject non-ASCII hosts before policy checks."}],"metrics":[{"cvssV3_1":{"baseScore":7.5,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-436","description":"CWE-436: Interpretation Conflict","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-29T13:22:44.674Z","orgId":"ce714d77-add3-4f53-aff5-83d477b104bb","shortName":"openjs"},"references":[{"url":"https://github.com/fastify/fast-uri/security/advisories/GHSA-4c8g-83qw-93j6"},{"url":"https://cna.openjsf.org/security-advisories.html"}],"title":"fast-uri vulnerable to host confusion via failed IDN canonicalization","x_generator":{"engine":"cve-kit 1.0.0"}}},"cveMetadata":{"assignerOrgId":"ce714d77-add3-4f53-aff5-83d477b104bb","assignerShortName":"openjs","cveId":"CVE-2026-13676","datePublished":"2026-06-29T13:22:44.674Z","dateReserved":"2026-06-29T10:37:49.461Z","dateUpdated":"2026-06-30T02:41:29.165Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-29 14:16:47","lastModifiedDate":"2026-06-30 03:17:14","problem_types":["CWE-436","CWE-551","CWE-436 CWE-436: Interpretation Conflict","CWE-551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"],"metrics":{"cvssMetricV31":[{"source":"ce714d77-add3-4f53-aff5-83d477b104bb","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6},{"source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-29T13:53:20.906495Z","id":"CVE-2026-13676","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"13676","Ordinal":"1","Title":"fast-uri vulnerable to host confusion via failed IDN canonicaliz","CVE":"CVE-2026-13676","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"13676","Ordinal":"1","NoteData":"fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize() and equal() still return values that differ from a WHATWG-compatible URL parser. Applications that use fast-uri to enforce host-based policy (denylists, loopback filtering, redirect validation, outbound proxy routing) before passing the same URL to Node's URL or fetch can be bypassed when the two implementations resolve the same input to different hosts. Patches: upgrade to fast-uri 3.1.3 for the 3.x line or 4.0.1 for the 4.x line. Workarounds: enforce host policy using the same URL parser used for the actual request, or reject non-ASCII hosts before policy checks.","Type":"Description","Title":"fast-uri vulnerable to host confusion via failed IDN canonicaliz"}]}}}