Skip to main content

Heimdall

3 CVEs product

Monthly

CVE-2026-42274 Go HIGH PATCH GHSA This Week

Authorization bypass in Heimdall cloud-native Identity Aware Proxy allows remote unauthenticated attackers to circumvent access control policies via path normalization mismatches. Attackers can craft requests with encoded or relative path traversal sequences (e.g., /public/../admin, /user/%2e%2e/admin) that Heimdall evaluates against one rule while downstream services normalize to a different protected path, enabling unauthorized access to restricted resources or functionality. No public exploit identified at time of analysis, though CVSS vector indicates network-accessible, low-complexity exploitation (CVSS:4.0 AV:N/AC:L/PR:N). Fixed in version 0.17.14.

Information Disclosure Heimdall
NVD GitHub
CVSS 4.0
7.8
EPSS
0.0%
CVE-2026-42273 Go HIGH PATCH GHSA This Week

Heimdall's case-sensitive host matching bypasses access control policies when attackers submit HTTP requests with alternate letter casing in the Host header, exploiting the discrepancy between HTTP spec (case-insensitive hostnames) and Heimdall's implementation. Versions prior to 0.17.14 fail to match rules configured for lowercase hostnames when requests arrive with mixed or uppercase casing, potentially routing to permissive default rules and granting unintended access. This vulnerability is most dangerous when Heimdall is deployed with insecure default rule enforcement flags enabled, though it requires attackers to know the exact hostname pattern and exploit misconfiguration.

Information Disclosure Heimdall
NVD GitHub
CVSS 4.0
7.8
EPSS
0.0%
CVE-2026-42272 Go HIGH PATCH GHSA This Week

Authorization bypass in Heimdall cloud-native Identity Aware Proxy affects versions prior to 0.17.14 due to case-sensitive URL-encoded slash handling. Remote unauthenticated attackers can craft requests with lowercase-encoded slashes (%2f) to evade path-based access controls when 'allow_encoded_slashes' is disabled (default). This discrepancy between Heimdall's path interpretation and upstream services enables access to restricted endpoints if a permissive default rule exists. GitHub reports a public fix (PR #3207, commit 8b0de6a) with patched version 0.17.14 released. No public exploit identified at time of analysis. CVSS 7.8 with CVSS:4.0 vector indicates network-accessible, low-complexity attack requiring no privileges or user interaction, though real-world impact depends on deployment configuration.

Information Disclosure Heimdall
NVD GitHub
CVSS 4.0
7.8
EPSS
0.0%
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Authorization bypass in Heimdall cloud-native Identity Aware Proxy allows remote unauthenticated attackers to circumvent access control policies via path normalization mismatches. Attackers can craft requests with encoded or relative path traversal sequences (e.g., /public/../admin, /user/%2e%2e/admin) that Heimdall evaluates against one rule while downstream services normalize to a different protected path, enabling unauthorized access to restricted resources or functionality. No public exploit identified at time of analysis, though CVSS vector indicates network-accessible, low-complexity exploitation (CVSS:4.0 AV:N/AC:L/PR:N). Fixed in version 0.17.14.

Information Disclosure Heimdall
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Heimdall's case-sensitive host matching bypasses access control policies when attackers submit HTTP requests with alternate letter casing in the Host header, exploiting the discrepancy between HTTP spec (case-insensitive hostnames) and Heimdall's implementation. Versions prior to 0.17.14 fail to match rules configured for lowercase hostnames when requests arrive with mixed or uppercase casing, potentially routing to permissive default rules and granting unintended access. This vulnerability is most dangerous when Heimdall is deployed with insecure default rule enforcement flags enabled, though it requires attackers to know the exact hostname pattern and exploit misconfiguration.

Information Disclosure Heimdall
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Authorization bypass in Heimdall cloud-native Identity Aware Proxy affects versions prior to 0.17.14 due to case-sensitive URL-encoded slash handling. Remote unauthenticated attackers can craft requests with lowercase-encoded slashes (%2f) to evade path-based access controls when 'allow_encoded_slashes' is disabled (default). This discrepancy between Heimdall's path interpretation and upstream services enables access to restricted endpoints if a permissive default rule exists. GitHub reports a public fix (PR #3207, commit 8b0de6a) with patched version 0.17.14 released. No public exploit identified at time of analysis. CVSS 7.8 with CVSS:4.0 vector indicates network-accessible, low-complexity attack requiring no privileges or user interaction, though real-world impact depends on deployment configuration.

Information Disclosure Heimdall
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy