CVE-2026-42272
Deferred Deferred - Pending Action
Path Traversal in Heimdall Identity Aware Proxy

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded slashes (%2F) in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent (%2f) is not recognized and therefore not processed as expected when allow_encoded_slashes is set to off (the default setting). This discrepancy can lead to differences in how request paths are interpreted by heimdall and upstream components, which may result in authorization bypass. This issue has been patched in version 0.17.14.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42272
EUVD
EUVD-2026-28508
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dadrus heimdall to 0.17.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-178 The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.
CWE-436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handled URL-encoded slashes (%2F) in a case-sensitive way, recognizing only the uppercase %2F but not the lowercase %2f. Since percent-encoding is defined to be case-insensitive, this inconsistency caused Heimdall to interpret request paths differently than upstream components when the default setting allow_encoded_slashes was off.

This mismatch in path interpretation could lead to an authorization bypass, where access controls enforced by Heimdall might be circumvented because certain encoded slashes were not recognized properly. For example, a request path containing %2f might bypass Heimdall's rules but still be interpreted as a slash by upstream services, potentially granting unauthorized access.

The vulnerability was fixed in version 0.17.14 by changing Heimdall to handle URL-encoded slashes in a case-insensitive manner, ensuring consistent path processing and preventing this bypass.

Impact Analysis

This vulnerability can lead to unauthorized access by bypassing Heimdall's access control rules due to inconsistent handling of URL-encoded slashes. If Heimdall is configured with permissive or insecure default rules, an attacker could exploit this to gain access to restricted resources.

The impact includes potential unauthorized data access, modification, or privilege escalation depending on the specific configuration and environment where Heimdall is deployed.

Mitigations include updating Heimdall to version 0.17.14 or later, configuring deny-by-default rules, rejecting encoded slashes at the proxy layer, or using JWTs with rule IDs for verification.

Detection Guidance

Detection of this vulnerability involves identifying requests that use lowercase URL-encoded slashes (%2f) which Heimdall prior to version 0.17.14 does not properly recognize when allow_encoded_slashes is set to off. Such requests may bypass authorization rules due to inconsistent path interpretation.

You can monitor your network or system logs for requests containing %2f in URLs, especially targeting sensitive paths like /admin%2fsecret.

Example commands to detect such requests in logs might include:

  • Using grep on access logs to find lowercase encoded slashes: grep -i '%2f' /path/to/heimdall/access.log
  • Using curl to test if the server treats %2f and %2F differently: curl -v 'https://yourheimdallserver/admin%2fsecret' and curl -v 'https://yourheimdallserver/admin%2Fsecret' to compare responses.

Additionally, checking the Heimdall version and configuration (allow_encoded_slashes setting) can help identify if the system is vulnerable.

Mitigation Strategies

The primary immediate mitigation step is to upgrade Heimdall to version 0.17.14 or later, where this vulnerability has been patched.

If upgrading immediately is not possible, consider the following workarounds:

  • Avoid using insecure flags or configurations that disable secure defaults, such as explicitly disabling deny-by-default rules.
  • Configure Heimdall with a deny-by-default rule to prevent unauthorized access by default.
  • Reject encoded slashes at the proxy layer before requests reach Heimdall.
  • Include rule IDs in JWTs for verification to ensure authorization rules are properly enforced.

Review your Heimdall configuration to ensure that allow_encoded_slashes is set appropriately and that authorization rules are not overly permissive.

Compliance Impact

The vulnerability in Heimdall allows for an authorization bypass due to improper handling of URL-encoded slashes, which can lead to unauthorized access, data modification, or privilege escalation depending on the configuration.

Such unauthorized access or data breaches could potentially impact compliance with common standards and regulations like GDPR or HIPAA, which require strict access controls and protection of sensitive data.

If exploited, this vulnerability could compromise confidentiality and integrity of protected data, thereby increasing the risk of non-compliance with these regulations.

However, the risk is mitigated if secure default configurations are used, such as deny-by-default rules or rejecting encoded slashes at the proxy layer.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42272. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart