Description
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw (non-normalized) request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy can result in heimdall authorizing a request for one path (e.g., /user/../admin, or URL-encoded variants such as /user/%2e%2e/admin or /user/%2e%2e%2fadmin. The latter would require the allow_encoded_slashes option to be set to on or no_decode.) while the downstream ultimately processes a different, normalized path (/admin). This issue has been patched in version 0.17.14.
Published: 2026-05-08
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Heimdall applies rule matching to the raw request path, while downstream components normalize dot‑segments per RFC 3986. When the path contains dot‑segments or encoded equivalents such as "/user/../admin" or "/user/%2e%2e/admin", Heimdall may grant access to the unnormalized path while the downstream service interprets the request as a different, normalized path (e.g., "/admin"). This mismatch enables an attacker to obtain elevated privileges by accessing resources they should not be able to reach, resulting in an authorization bypass and potential privilege escalation.

Affected Systems

All installations of Heimdall version 0.17.13 and earlier are affected. The vulnerability is fixed in Heimdall 0.17.14 and later releases. The vulnerability applies to the default configuration of Heimdall where downstream components perform path normalization according to RFC 3986.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity vulnerability. No EPSS score is available, and the issue is not listed in the CISA KEV catalog. Exploitation can be carried out remotely by sending a crafted HTTP request that includes dot‑segments or encoded path components. If the downstream component normalizes the path, the attacker may obtain unauthorized access to protected resources. The attack requires only the ability to send an HTTP request to the Heimdall gateway and a downstream service that normalizes the path.

Generated by OpenCVE AI on May 8, 2026 at 05:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Heimdall to version 0.17.14 or later to remove the path normalization mismatch
  • Configure downstream services to normalize path segments in accordance with Heimdall and disable allow_encoded_slashes where possible to prevent encoded path confusion
  • Monitor access logs for anomalous path patterns that may indicate attempts to exploit the path normalization mismatch

Generated by OpenCVE AI on May 8, 2026 at 05:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3q34-rx83-r6mq Heimdall has an authorization bypass via path normalization mismatch
History

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 06:15:00 +0000

Type Values Removed Values Added
First Time appeared Dadrus
Dadrus heimdall
Vendors & Products Dadrus
Dadrus heimdall

Fri, 08 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw (non-normalized) request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy can result in heimdall authorizing a request for one path (e.g., /user/../admin, or URL-encoded variants such as /user/%2e%2e/admin or /user/%2e%2e%2fadmin. The latter would require the allow_encoded_slashes option to be set to on or no_decode.) while the downstream ultimately processes a different, normalized path (/admin). This issue has been patched in version 0.17.14.
Title Heimdall: Authorization bypass via path normalization mismatch
Weaknesses CWE-35
CWE-436
References
Metrics cvssV4_0

{'score': 7.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Dadrus Heimdall
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T18:20:15.059Z

Reserved: 2026-04-26T11:53:27.707Z

Link: CVE-2026-42274

cve-icon Vulnrichment

Updated: 2026-05-11T18:20:00.585Z

cve-icon NVD

Status : Deferred

Published: 2026-05-08T04:16:22.643

Modified: 2026-05-08T16:03:26.693

Link: CVE-2026-42274

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T06:00:11Z

Weaknesses