Skip to main content

Heimdall EUVDEUVD-2026-28508

| CVE-2026-42272 HIGH
Interpretation Conflict (CWE-436)
2026-05-08 GitHub_M GHSA-43jv-5j4x-qv67
7.8
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Patch available
May 08, 2026 - 05:01 EUVD
Source Code Evidence Fetched
May 08, 2026 - 04:33 vuln.today
Analysis Generated
May 08, 2026 - 04:33 vuln.today
CVSS changed
May 08, 2026 - 04:22 NVD
7.8 (HIGH)
CVE Published
May 08, 2026 - 03:40 nvd
HIGH 7.8

DescriptionGitHub Advisory

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded slashes (%2F) in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent (%2f) is not recognized and therefore not processed as expected when allow_encoded_slashes is set to off (the default setting). This discrepancy can lead to differences in how request paths are interpreted by heimdall and upstream components, which may result in authorization bypass. This issue has been patched in version 0.17.14.

AnalysisAI

Authorization bypass in Heimdall cloud-native Identity Aware Proxy affects versions prior to 0.17.14 due to case-sensitive URL-encoded slash handling. Remote unauthenticated attackers can craft requests with lowercase-encoded slashes (%2f) to evade path-based access controls when 'allow_encoded_slashes' is disabled (default). This discrepancy between Heimdall's path interpretation and upstream services enables access to restricted endpoints if a permissive default rule exists. GitHub reports a public fix (PR #3207, commit 8b0de6a) with patched version 0.17.14 released. No public exploit identified at time of analysis. CVSS 7.8 with CVSS:4.0 vector indicates network-accessible, low-complexity attack requiring no privileges or user interaction, though real-world impact depends on deployment configuration.

Technical ContextAI

Heimdall is a cloud-native Identity Aware Proxy implementing Zero Trust access control for microservices. The vulnerability stems from CWE-436 (Interpretation Conflict), where Heimdall treats percent-encoded characters case-sensitively despite RFC 3986 defining percent-encoding as case-insensitive. The affected component is Heimdall's URL path normalization module written in Go (github.com/dadrus/heimdall). When 'allow_encoded_slashes' is set to 'off' (default), Heimdall correctly rejects uppercase %2F but silently passes lowercase %2f. Upstream services (application servers, API gateways) typically normalize %2f to / during processing. This creates a TOCTOU-like condition where Heimdall authorizes based on the literal path '/admin%2fsecret' while the backend processes '/admin/secret'. The fix in v0.17.14 implements case-insensitive percent-encoding recognition. Note: Since v0.16.0, Heimdall enforces secure defaults and refuses to start with overly permissive default rules unless explicitly overridden via --insecure-skip-secure-default-rule-enforcement flag, significantly limiting real-world exploitability.

RemediationAI

Upgrade to Heimdall version 0.17.14 or later, available at https://github.com/dadrus/heimdall/releases/tag/v0.17.14. The fix is implemented in commit 8b0de6aba23a047cfee3081df878271bb17f4351 (PR #3207 at https://github.com/dadrus/heimdall/pull/3207). For environments unable to upgrade immediately, implement these compensating controls: (1) Configure Heimdall's default rule to implement 'deny by default' rather than 'allow all' - this is enforced automatically in v0.16.0+ unless explicitly disabled, so verify --insecure and --insecure-skip-secure-default-rule-enforcement flags are NOT used. (2) Deploy an upstream reverse proxy (e.g., Traefik, nginx with 'merge_slashes off') configured to reject requests containing any percent-encoded slashes (%2F or %2f) before they reach Heimdall - note this may break legitimate applications requiring encoded slashes. (3) Implement request validation in backend services to verify the rule ID in Heimdall-issued JWTs matches expected values for each endpoint, preventing unauthorized rule execution. All workarounds require configuration changes with potential application compatibility impacts; upgrading to v0.17.14 is the recommended permanent fix.

Share

EUVD-2026-28508 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy