Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionGitHub Advisory
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded slashes (%2F) in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent (%2f) is not recognized and therefore not processed as expected when allow_encoded_slashes is set to off (the default setting). This discrepancy can lead to differences in how request paths are interpreted by heimdall and upstream components, which may result in authorization bypass. This issue has been patched in version 0.17.14.
AnalysisAI
Authorization bypass in Heimdall cloud-native Identity Aware Proxy affects versions prior to 0.17.14 due to case-sensitive URL-encoded slash handling. Remote unauthenticated attackers can craft requests with lowercase-encoded slashes (%2f) to evade path-based access controls when 'allow_encoded_slashes' is disabled (default). This discrepancy between Heimdall's path interpretation and upstream services enables access to restricted endpoints if a permissive default rule exists. GitHub reports a public fix (PR #3207, commit 8b0de6a) with patched version 0.17.14 released. No public exploit identified at time of analysis. CVSS 7.8 with CVSS:4.0 vector indicates network-accessible, low-complexity attack requiring no privileges or user interaction, though real-world impact depends on deployment configuration.
Technical ContextAI
Heimdall is a cloud-native Identity Aware Proxy implementing Zero Trust access control for microservices. The vulnerability stems from CWE-436 (Interpretation Conflict), where Heimdall treats percent-encoded characters case-sensitively despite RFC 3986 defining percent-encoding as case-insensitive. The affected component is Heimdall's URL path normalization module written in Go (github.com/dadrus/heimdall). When 'allow_encoded_slashes' is set to 'off' (default), Heimdall correctly rejects uppercase %2F but silently passes lowercase %2f. Upstream services (application servers, API gateways) typically normalize %2f to / during processing. This creates a TOCTOU-like condition where Heimdall authorizes based on the literal path '/admin%2fsecret' while the backend processes '/admin/secret'. The fix in v0.17.14 implements case-insensitive percent-encoding recognition. Note: Since v0.16.0, Heimdall enforces secure defaults and refuses to start with overly permissive default rules unless explicitly overridden via --insecure-skip-secure-default-rule-enforcement flag, significantly limiting real-world exploitability.
RemediationAI
Upgrade to Heimdall version 0.17.14 or later, available at https://github.com/dadrus/heimdall/releases/tag/v0.17.14. The fix is implemented in commit 8b0de6aba23a047cfee3081df878271bb17f4351 (PR #3207 at https://github.com/dadrus/heimdall/pull/3207). For environments unable to upgrade immediately, implement these compensating controls: (1) Configure Heimdall's default rule to implement 'deny by default' rather than 'allow all' - this is enforced automatically in v0.16.0+ unless explicitly disabled, so verify --insecure and --insecure-skip-secure-default-rule-enforcement flags are NOT used. (2) Deploy an upstream reverse proxy (e.g., Traefik, nginx with 'merge_slashes off') configured to reject requests containing any percent-encoded slashes (%2F or %2f) before they reach Heimdall - note this may break legitimate applications requiring encoded slashes. (3) Implement request validation in backend services to verify the rule ID in Heimdall-issued JWTs matches expected values for each endpoint, preventing unauthorized rule execution. All workarounds require configuration changes with potential application compatibility impacts; upgrading to v0.17.14 is the recommended permanent fix.
Authorization bypass in Heimdall cloud-native Identity Aware Proxy allows remote unauthenticated attackers to circumvent
Heimdall's case-sensitive host matching bypasses access control policies when attackers submit HTTP requests with altern
Same weakness CWE-436 – Interpretation Conflict
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28508
GHSA-43jv-5j4x-qv67