CVE-2026-42274

N/A Unknown

Published: May 08, 2026 Modified: May 08, 2026

Description

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw (non-normalized) request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy can result in heimdall authorizing a request for one path (e.g., /user/../admin, or URL-encoded variants such as /user/%2e%2e/admin or /user/%2e%2e%2fadmin. The latter would require the allow_encoded_slashes option to be set to on or no_decode.) while the downstream ultimately processes a different, normalized path (/admin). This issue has been patched in version 0.17.14.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://github.com/dadrus/heimdall/commit/b5dfa484b7a8c2ce6d8691c026f9da867719947a

Source: security-advisories@github.com

https://github.com/dadrus/heimdall/pull/3209

Source: security-advisories@github.com

https://github.com/dadrus/heimdall/releases/tag/v0.17.14

Source: security-advisories@github.com

https://github.com/dadrus/heimdall/security/advisories/GHSA-3q34-rx83-r6mq

Source: security-advisories@github.com

4 reference(s) from NVD

Quick Stats

CVSS v3 Score

N/A / 10.0

EPSS (Exploit Probability)

0.4%

29th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-35 CWE-436

Related CVEs

CVE-2026-12243 7.5

CVE-2026-8023 7.5

CVE-2026-7656 8.1

CVE-2026-51219 N/A

CVE-2026-51218 N/A