Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent...

7.8 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

Description

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded slashes (%2F) in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent (%2f) is not recognized and therefore not processed as expected when allow_encoded_slashes is set to off (the default setting). This discrepancy can lead to differences in how request paths are interpreted by heimdall and upstream components, which may result in authorization bypass. This issue has been patched in version 0.17.14.

Basic Information

ID CVE-2026-42272

Source GitHub_M

Published May 8, 2026 at 03:40

Affected Product

Vendor dadrus

Product heimdall

Version < 0.17.14

Affected Versions dadrus heimdall < 0.17.14

CWE Classification

CWE-436 CWE-178

References

{
    "lastseen": "",
    "description": "Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded slashes (%2F) in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent (%2f) is not recognized and therefore not processed as expected when allow_encoded_slashes is set to off (the default setting). This discrepancy can lead to differences in how request paths are interpreted by heimdall and upstream components, which may result in authorization bypass. This issue has been patched in version 0.17.14.",
    "published": "2026-05-08T03:40:17.541Z",
    "modified": "2026-05-08T03:40:17.541Z",
    "type": "cve",
    "title": "Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation",
    "source": "GitHub_M",
    "references": "https://github.com/dadrus/heimdall/security/advisories/GHSA-43jv-5j4x-qv67\nhttps://github.com/dadrus/heimdall/pull/3207\nhttps://github.com/dadrus/heimdall/commit/8b0de6aba23a047cfee3081df878271bb17f4351\nhttps://github.com/dadrus/heimdall/releases/tag/v0.17.14",
    "id": "CVE-2026-42272",
    "bulletinFamily": "",
    "cwe": [
        "CWE-436",
        "CWE-178"
    ],
    "cvelist": null,
    "sourceData": "dadrus heimdall < 0.17.14",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "heimdall",
    "version": "< 0.17.14",
    "vendor": "dadrus",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation_CVE-2026-42272