Description
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are case-insensitive. This discrepancy can result in heimdall failing to match a rule for a request host that differs only in letter casing, potentially causing the request to be classified differently than intended. This issue has been patched in version 0.17.14.
Published: 2026-05-08
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Heimdall, a cloud native Identity Aware Proxy, performed HTTP host matching in a case‑sensitive way. Because hostnames are inherently case‑insensitive, requests whose host header differed only in letter case could fail to match the intended rule. This logical error can cause a request to be classified differently than intended, allowing an attacker to obtain or bypass access that should be denied. The weakness is a logical architecture flaw (CWE‑178) compounded by improper validation of input strings (CWE‑436).

Affected Systems

The vulnerability affects the Heimdall product provided by dadrus. All releases prior to version 0.17.14 are impacted. Users on any earlier version should consider that a request to, for example, example.com versus EXAMPLE.com may be treated inconsistently and could lead to unauthorized access.

Risk and Exploitability

With a CVSS score of 7.8, the issue is considered high severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. An attacker can manipulate the Host header field in an HTTP request to a Heimdall‑protected resource, choosing a case variation that will not match the stored policy. The attack is straightforward and requires only the ability to send HTTP traffic to the service, making exploitation likely in environments where Heimdall is exposed to untrusted clients.

Generated by OpenCVE AI on May 8, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Heimdall to version 0.17.14 or later, which normalizes host matching to be case‑insensitive.
  • If an immediate upgrade is not possible, restrict traffic to Heimdall behind a proxy or firewall that normalizes the Host header to a consistent lower‑case format before it reaches Heimdall.
  • After mitigation, confirm that requests with different host header casings are evaluated against the same policy by performing test requests to validate correct behavior.

Generated by OpenCVE AI on May 8, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-72h4-mxfc-jx37 Heimdall: Case-sensitive host matching may lead to policy bypass
History

Fri, 08 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Dadrus
Dadrus heimdall
Vendors & Products Dadrus
Dadrus heimdall

Fri, 08 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are case-insensitive. This discrepancy can result in heimdall failing to match a rule for a request host that differs only in letter casing, potentially causing the request to be classified differently than intended. This issue has been patched in version 0.17.14.
Title Heimdall: Case-sensitive host matching may lead to policy bypass
Weaknesses CWE-178
CWE-436
References
Metrics cvssV4_0

{'score': 7.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Dadrus Heimdall
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T03:42:50.312Z

Reserved: 2026-04-26T11:53:27.707Z

Link: CVE-2026-42273

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T04:16:22.457

Modified: 2026-05-08T04:16:22.457

Link: CVE-2026-42273

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T05:30:46Z

Weaknesses