Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionGitHub Advisory
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw (non-normalized) request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy can result in heimdall authorizing a request for one path (e.g., /user/../admin, or URL-encoded variants such as /user/%2e%2e/admin or /user/%2e%2e%2fadmin. The latter would require the allow_encoded_slashes option to be set to on or no_decode.) while the downstream ultimately processes a different, normalized path (/admin). This issue has been patched in version 0.17.14.
AnalysisAI
Authorization bypass in Heimdall cloud-native Identity Aware Proxy allows remote unauthenticated attackers to circumvent access control policies via path normalization mismatches. Attackers can craft requests with encoded or relative path traversal sequences (e.g., /public/../admin, /user/%2e%2e/admin) that Heimdall evaluates against one rule while downstream services normalize to a different protected path, enabling unauthorized access to restricted resources or functionality. No public exploit identified at time of analysis, though CVSS vector indicates network-accessible, low-complexity exploitation (CVSS:4.0 AV:N/AC:L/PR:N). Fixed in version 0.17.14.
Technical ContextAI
Heimdall is a cloud-native Identity Aware Proxy and Access Control Decision service written in Go (github.com/dadrus/heimdall). The vulnerability stems from CWE-35 (Path Traversal) where Heimdall performs rule matching on raw, non-normalized HTTP request paths while downstream components normalize dot-segments per RFC 3986 Section 6.2.2.3. This classic normalization mismatch occurs when path components like '../' or URL-encoded equivalents '%2e%2e/' bypass upstream access control checks but are later resolved by backend services. The affected component uses free wildcards (e.g., '/user/' or '/public/') in YAML-based routing rules without path canonicalization, creating a semantic gap between authorization decision and actual resource access. The CPE cpe:2.3:a:dadrus:heimdall:*:*:*:*:*:*:*:* identifies all versions prior to 0.17.14 as vulnerable.
RemediationAI
Upgrade to Heimdall version 0.17.14 or later, which includes path normalization fixes per commit b5dfa484b7a8c2ce6d8691c026f9da867719947a (https://github.com/dadrus/heimdall/commit/b5dfa484b7a8c2ce6d8691c026f9da867719947a). Release details available at https://github.com/dadrus/heimdall/releases/tag/v0.17.14 and patch implementation in PR #3209 (https://github.com/dadrus/heimdall/pull/3209). For environments unable to upgrade immediately, implement path normalization or rejection of relative path expressions in layers upstream of Heimdall. Traefik performs this normalization by default; Envoy requires enabling the normalize_path configuration option (https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path). As an additional defense-in-depth measure, include the expected rule ID in JWTs issued by Heimdall and validate this in downstream services, though this adds operational complexity and latency. Note that workarounds do not address the root cause and may be bypassed if normalization logic differs between components.
Heimdall's case-sensitive host matching bypasses access control policies when attackers submit HTTP requests with altern
Authorization bypass in Heimdall cloud-native Identity Aware Proxy affects versions prior to 0.17.14 due to case-sensiti
Same weakness CWE-35 – Path Traversal: '.../...//'
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28510
GHSA-3q34-rx83-r6mq