Which versions of Heimdall are affected by CVE-2026-42273?

Heimdall versions prior to 0.17.14 contain a host-matching bypass vulnerability that allows attackers to circumvent access control policies by manipulating HTTP Host header casing, potentially…. A patch is available.

Heimdall CVE-2026-42273

Q: What is the CVSS score of CVE-2026-42273?

CVE-2026-42273 has a CVSS 4.0 base score of 7.8 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-28509 HIGH

Interpretation Conflict (CWE-436)

2026-05-08 GitHub_M

GHSA-72h4-mxfc-jx37

Information Disclosure

7.8

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch available

May 08, 2026 - 05:01 EUVD

Source Code Evidence Fetched

May 08, 2026 - 04:34 vuln.today

Analysis Generated

May 08, 2026 - 04:34 vuln.today

CVSS changed

May 08, 2026 - 04:22 NVD

7.8 (HIGH)

CVE Published

May 08, 2026 - 03:42 nvd

HIGH 7.8

DescriptionNVD

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are case-insensitive. This discrepancy can result in heimdall failing to match a rule for a request host that differs only in letter casing, potentially causing the request to be classified differently than intended. This issue has been patched in version 0.17.14.

AnalysisAI

Heimdall's case-sensitive host matching bypasses access control policies when attackers submit HTTP requests with alternate letter casing in the Host header, exploiting the discrepancy between HTTP spec (case-insensitive hostnames) and Heimdall's implementation. Versions prior to 0.17.14 fail to match rules configured for lowercase hostnames when requests arrive with mixed or uppercase casing, potentially routing to permissive default rules and granting unintended access. …

RemediationAI

Within 24 hours: Audit current Heimdall deployment version and inventory all configured hostname-based access control rules. Within 7 days: Implement case-insensitive hostname matching validation rules as a compensating control and review default rule enforcement flags to ensure deny-by-default posture is active. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-42273 vulnerability details – vuln.today

Back

Heimdall CVE-2026-42273

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Heimdall CVE-2026-42273

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code