Description
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. When using Heimdall in envoy gRPC decision API mode with versions 0.7.0-alpha through 0.17.10, wrong encoding of the query URL string allows rules with non-wildcard path expressions to be bypassed. Envoy splits the requested URL into parts, and sends the parts individually to Heimdall. Although query and path are present in the API, the query field is documented to be always empty and the URL query is included in the path field. The implementation uses go's url library to reconstruct the url which automatically encodes special characters in the path. As a consequence, a parameter like /mypath?foo=bar to Path is escaped into /mypath%3Ffoo=bar. Subsequently, a rule matching /mypath no longer matches and is bypassed. The issue can only lead to unintended access if Heimdall is configured with an "allow all" default rule. Since v0.16.0, Heimdall enforces secure defaults and refuses to start with such a configuration unless this enforcement is explicitly disabled, e.g. via --insecure-skip-secure-default-rule-enforcement or the broader --insecure flag. This issue has been fixed in version 0.17.11.
Published: 2026-03-20
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass via Query String Escaping
Action: Immediate Patch
AI Analysis

Impact

Heimdall, a cloud‑native identity‑aware proxy, misencodes URLs received through the Envoy gRPC decision API in versions 0.7.0‑alpha through 0.17.10. The Go url library re‑encodes the query string as part of the path, converting /mypath?foo=bar into /mypath%3Ffoo=bar. Rules that match the unescaped path /mypath no longer match, allowing traffic to bypass rules that are not wildcarded. This flaw is a classic authorization bypass (CWE‑863) triggered by improper input handling (CWE‑116). The vulnerability can only lead to unintended access if Heimdall is configured with an “allow all” default rule; secure‑default enforcement introduced in v0.16.0 prevents the service from starting with such a permissive configuration unless the --insecure or --insecure‑skip‑secure‑default‑rule‑enforcement flags are used.

Affected Systems

The affected product is Heimdall from vendor dadrus, specifically all releases from 0.7.0‑alpha through 0.17.10 inclusive. Version 0.17.11 and later include the fix.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.2 (High) and an EPSS score of less than 1 %, indicating a low likelihood of exploitation, and it is not listed in CISA’s KEV catalog. Exploitation requires an Envoy configuration that routes decision requests to Heimdall and a permissive default rule; an attacker can send a crafted URL containing a query string through Envoy to trigger the bypass. With secure defaults enforced, exploitation is mitigated unless an administrator explicitly disables the protection.

Generated by OpenCVE AI on March 30, 2026 at 16:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Heimdall to version 0.17.11 or newer, which resolves the URL encoding bug.
  • If upgrading is delayed, run Heimdall without the --insecure or --insecure‑skip‑secure‑default‑rule‑enforcement flags and ensure that no "allow all" default rule is configured.
  • Verify that solution uses secure defaults by confirming the service refuses to start with a permissive configuration unless intentionally overridden.
  • Consider disabling or restricting the Envoy gRPC decision API for services that cannot run the patched version.

Generated by OpenCVE AI on March 30, 2026 at 16:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r8x2-fhmf-6mxp Heimdall: Path received via Envoy gRPC corrupted when containing query string
History

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:dadrus:heimdall:*:*:*:*:*:*:*:*

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Dadrus
Dadrus heimdall
Vendors & Products Dadrus
Dadrus heimdall

Fri, 20 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. When using Heimdall in envoy gRPC decision API mode with versions 0.7.0-alpha through 0.17.10, wrong encoding of the query URL string allows rules with non-wildcard path expressions to be bypassed. Envoy splits the requested URL into parts, and sends the parts individually to Heimdall. Although query and path are present in the API, the query field is documented to be always empty and the URL query is included in the path field. The implementation uses go's url library to reconstruct the url which automatically encodes special characters in the path. As a consequence, a parameter like /mypath?foo=bar to Path is escaped into /mypath%3Ffoo=bar. Subsequently, a rule matching /mypath no longer matches and is bypassed. The issue can only lead to unintended access if Heimdall is configured with an "allow all" default rule. Since v0.16.0, Heimdall enforces secure defaults and refuses to start with such a configuration unless this enforcement is explicitly disabled, e.g. via --insecure-skip-secure-default-rule-enforcement or the broader --insecure flag. This issue has been fixed in version 0.17.11.
Title Heimdall: Path received via Envoy gRPC corrupted when containing query string
Weaknesses CWE-116
CWE-863
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

Dadrus Heimdall
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-21T03:00:29.146Z

Reserved: 2026-03-16T17:35:36.696Z

Link: CVE-2026-32811

cve-icon Vulnrichment

Updated: 2026-03-21T03:00:24.032Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T02:16:34.857

Modified: 2026-03-30T15:01:22.760

Link: CVE-2026-32811

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:58:20Z

Weaknesses