Description
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded slashes (%2F) in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent (%2f) is not recognized and therefore not processed as expected when allow_encoded_slashes is set to off (the default setting). This discrepancy can lead to differences in how request paths are interpreted by heimdall and upstream components, which may result in authorization bypass. This issue has been patched in version 0.17.14.
Published: 2026-05-08
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Heimdall, a cloud native Identity Aware Proxy, processes URL-encoded slashes in a case‑sensitive manner. While percent‑encoding is defined to be case‑insensitive, the software only recognizes the uppercase %2F. When allow_encoded_slashes is set to off—its default setting—the lowercase %2f is treated as a literal slash by Heimdall but is ignored by upstream components, leading to inconsistent path interpretation. This discrepancy can allow an attacker to craft requests that resolve to protected paths in Heimdall but not in upstream services, effectively bypassing intended authorization checks and enabling unauthorized access to resources.

Affected Systems

The flaw impacts the Heimdall service released by Dadrus. Any deployment of Heimdall before version 0.17.14 is vulnerable; the fix was introduced in that release. Systems running the default configuration, with allow_encoded_slashes disabled, are at risk.

Risk and Exploitability

The CVSS score of 7.8 classifies the vulnerability as high severity. Exploitation would be performed over the network by sending crafted HTTP requests that contain lowercase %2f to trigger inconsistent path handling between Heimdall and upstream services. Because Heimdall is commonly exposed to the Internet, the likelihood of exploitation is significant, although no publicly disclosed exploits are currently listed in KEV or reported. Attackers would not need elevated privileges, making this vector readily exploitable if no additional controls are in place.

Generated by OpenCVE AI on May 8, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Heimdall to version 0.17.14 or later, which resolves the case‑sensitivity issue for URL‑encoded slashes.
  • Verify that the allow_encoded_slashes configuration remains set to its default value (off) after updating, ensuring consistent path handling across the chain.
  • Consider implementing additional path validation or strict URL normalization in upstream services to mitigate potential bypasses until the upgrade is complete.

Generated by OpenCVE AI on May 8, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-43jv-5j4x-qv67 Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation
History

Fri, 08 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Dadrus
Dadrus heimdall
Vendors & Products Dadrus
Dadrus heimdall

Fri, 08 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded slashes (%2F) in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent (%2f) is not recognized and therefore not processed as expected when allow_encoded_slashes is set to off (the default setting). This discrepancy can lead to differences in how request paths are interpreted by heimdall and upstream components, which may result in authorization bypass. This issue has been patched in version 0.17.14.
Title Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation
Weaknesses CWE-178
CWE-436
References
Metrics cvssV4_0

{'score': 7.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Dadrus Heimdall
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T03:40:17.541Z

Reserved: 2026-04-26T11:53:27.707Z

Link: CVE-2026-42272

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T04:16:22.013

Modified: 2026-05-08T04:16:22.013

Link: CVE-2026-42272

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T05:30:46Z

Weaknesses