Skip to main content

Heimdall CVE-2026-42274

| EUVDEUVD-2026-28510 HIGH
Path Traversal: '.../...//' (CWE-35)
2026-05-08 GitHub_M GHSA-3q34-rx83-r6mq
7.8
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Patch available
May 08, 2026 - 05:01 EUVD
Source Code Evidence Fetched
May 08, 2026 - 04:33 vuln.today
Analysis Generated
May 08, 2026 - 04:33 vuln.today
CVSS changed
May 08, 2026 - 04:22 NVD
7.8 (HIGH)
CVE Published
May 08, 2026 - 03:43 nvd
HIGH 7.8

DescriptionGitHub Advisory

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw (non-normalized) request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy can result in heimdall authorizing a request for one path (e.g., /user/../admin, or URL-encoded variants such as /user/%2e%2e/admin or /user/%2e%2e%2fadmin. The latter would require the allow_encoded_slashes option to be set to on or no_decode.) while the downstream ultimately processes a different, normalized path (/admin). This issue has been patched in version 0.17.14.

AnalysisAI

Authorization bypass in Heimdall cloud-native Identity Aware Proxy allows remote unauthenticated attackers to circumvent access control policies via path normalization mismatches. Attackers can craft requests with encoded or relative path traversal sequences (e.g., /public/../admin, /user/%2e%2e/admin) that Heimdall evaluates against one rule while downstream services normalize to a different protected path, enabling unauthorized access to restricted resources or functionality. No public exploit identified at time of analysis, though CVSS vector indicates network-accessible, low-complexity exploitation (CVSS:4.0 AV:N/AC:L/PR:N). Fixed in version 0.17.14.

Technical ContextAI

Heimdall is a cloud-native Identity Aware Proxy and Access Control Decision service written in Go (github.com/dadrus/heimdall). The vulnerability stems from CWE-35 (Path Traversal) where Heimdall performs rule matching on raw, non-normalized HTTP request paths while downstream components normalize dot-segments per RFC 3986 Section 6.2.2.3. This classic normalization mismatch occurs when path components like '../' or URL-encoded equivalents '%2e%2e/' bypass upstream access control checks but are later resolved by backend services. The affected component uses free wildcards (e.g., '/user/' or '/public/') in YAML-based routing rules without path canonicalization, creating a semantic gap between authorization decision and actual resource access. The CPE cpe:2.3:a:dadrus:heimdall:*:*:*:*:*:*:*:* identifies all versions prior to 0.17.14 as vulnerable.

RemediationAI

Upgrade to Heimdall version 0.17.14 or later, which includes path normalization fixes per commit b5dfa484b7a8c2ce6d8691c026f9da867719947a (https://github.com/dadrus/heimdall/commit/b5dfa484b7a8c2ce6d8691c026f9da867719947a). Release details available at https://github.com/dadrus/heimdall/releases/tag/v0.17.14 and patch implementation in PR #3209 (https://github.com/dadrus/heimdall/pull/3209). For environments unable to upgrade immediately, implement path normalization or rejection of relative path expressions in layers upstream of Heimdall. Traefik performs this normalization by default; Envoy requires enabling the normalize_path configuration option (https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path). As an additional defense-in-depth measure, include the expected rule ID in JWTs issued by Heimdall and validate this in downstream services, though this adds operational complexity and latency. Note that workarounds do not address the root cause and may be bypassed if normalization logic differs between components.

Share

CVE-2026-42274 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy