CVE-2026-32811
URL Encoding Bypass in Heimdall Envoy gRPC Access Control
Publication date: 2026-03-20
Last updated on: 2026-03-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dadrus | heimdall | From 0.7.0 (inc) to 0.17.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-32811 is a vulnerability in Heimdall versions 0.7.0-alpha through 0.17.10 when used with Envoy's gRPC decision API mode. The issue arises from incorrect encoding of the query URL string, which allows bypassing of rules that use non-wildcard path expressions."}, {'type': 'paragraph', 'content': "Envoy splits the requested URL into parts and sends them to Heimdall, where the query field is always empty and the entire URL query is included in the path field. Heimdall reconstructs the URL using Go's URL library, which percent-encodes special characters in the path. For example, a path like '/mypath?foo=bar' is encoded as '/mypath%3Ffoo=bar', causing rules matching '/mypath' to fail and be bypassed."}, {'type': 'paragraph', 'content': "This vulnerability only leads to unintended access if Heimdall is configured with an 'allow all' default rule. Since version 0.16.0, Heimdall enforces secure defaults preventing startup with such insecure configurations unless explicitly overridden."}, {'type': 'paragraph', 'content': 'The issue was fixed in Heimdall version 0.17.11 by correctly parsing and separating the query string from the path in the Envoy gRPC ExtAuth integration.'}] [1, 3, 4]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can allow attackers to bypass specific deny-list rules in Heimdall when using Envoy's gRPC decision API mode if Heimdall is configured with an 'allow all' default rule."}, {'type': 'paragraph', 'content': 'By appending query parameters to a path, attackers can circumvent access control rules that rely on non-wildcard path matching, potentially gaining unauthorized access to protected resources.'}, {'type': 'paragraph', 'content': 'The severity is high with a CVSS v3.1 base score of 8.2, indicating a network attack vector with low complexity, no privileges required, no user interaction, and impacts confidentiality and integrity.'}, {'type': 'paragraph', 'content': "However, this impact is mitigated if Heimdall is configured with secure defaults (enforced since version 0.16.0) that disallow 'allow all' default rules unless explicitly overridden."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves incorrect encoding and handling of query strings in URLs when Heimdall is used in Envoy gRPC decision API mode. Detection involves identifying if requests with query parameters appended to paths are bypassing rules that should match those paths.
To detect this on your system or network, you can monitor and analyze Envoy gRPC authorization requests to Heimdall, focusing on requests where the path contains encoded query parameters (e.g., %3F). Look for authorization decisions that unexpectedly allow access when query parameters are present.
Suggested commands or approaches include:
- Capture and inspect Envoy gRPC authorization requests using network tools like tcpdump or Wireshark, filtering for traffic between Envoy and Heimdall.
- Use logging or debugging features in Heimdall to log incoming request paths and authorization decisions, checking for paths with encoded query strings.
- Run test requests with paths containing query parameters (e.g., `/mypath?foo=bar`) and observe if rules matching `/mypath` are bypassed.
- If Heimdall logs or metrics are available, query them for authorization results on paths with encoded query strings.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': 'Upgrade Heimdall to version 0.17.11 or later, where the vulnerability is fixed by correctly parsing and separating the query string from the path in Envoy gRPC ExtAuth integration.'}, {'type': 'list_item', 'content': 'Ensure Heimdall is not configured with an "allow all" default rule, as the vulnerability only leads to unintended access if such a permissive default rule is present.'}, {'type': 'list_item', 'content': 'If upgrading immediately is not possible, enable Heimdall\'s secure defaults which refuse to start with an insecure "allow all" default rule unless explicitly overridden by flags like `--insecure-skip-secure-default-rule-enforcement` or `--insecure`.'}, {'type': 'list_item', 'content': 'Review and tighten access control rules to avoid relying on permissive defaults.'}] [1, 4, 3]