CVE-2026-42273
Host Header Case Sensitivity Bypass in Heimdall
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dadrus | heimdall | to 0.17.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-178 | The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results. |
| CWE-436 | Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42273 is a vulnerability in Heimdall, a cloud native Identity Aware Proxy and Access Control Decision service, where host matching is done in a case-sensitive manner despite HTTP hostnames being case-insensitive.
This mismatch means that if a request's Host header differs only in letter casing from a configured rule, Heimdall may fail to match the rule correctly. This can cause requests to be classified differently than intended, potentially bypassing access controls.
For example, if a rule is set for "admin.example.com" but a request comes in with "Admin.Example.Com", Heimdall might not recognize it as the same host. If a default rule is permissive, this can allow unauthorized access or privilege escalation.
The issue was fixed by normalizing hostnames to lowercase before matching, ensuring compliance with the case-insensitivity of HTTP hostnames.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access if Heimdall is configured with a permissive default rule that allows access when no specific host rule matches.
An attacker can exploit the case-sensitive matching by sending requests with Host headers that differ only in case from the intended rules, potentially bypassing access controls.
This could result in privilege escalation or exposure of restricted data and functionality, depending on the configuration and features exposed by Heimdall.
If no default rule is set, the request may simply result in a 404 error, but if a default rule is overly permissive, the risk is significant.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if Heimdall is performing case-sensitive host matching, which can cause requests with Host headers differing only in letter casing to bypass intended rules.
One way to detect this on your system is to send HTTP requests with Host headers that differ only in case from the configured rules and observe if the requests are matched or if they bypass access controls.
For example, if your rule is configured for "admin.example.com", try sending a request with the Host header set to "Admin.Example.Com" and see if the request is handled differently or bypasses restrictions.
You can use curl commands to test this behavior:
- curl -H "Host: admin.example.com" https://your-heimdall-instance/
- curl -H "Host: Admin.Example.Com" https://your-heimdall-instance/
If the responses differ in access control enforcement or status codes, it indicates the vulnerability may be present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating Heimdall to version 0.17.14 or later, where the vulnerability has been fixed by normalizing hostnames to lowercase before rule matching.
If updating immediately is not possible, consider the following mitigations:
- Avoid using permissive default rules that allow anonymous access, as these can be exploited if host matching fails.
- Normalize incoming request hosts to lowercase before processing in your configuration or proxy layer.
- Use case-insensitive regex patterns for host matching rules.
- Include rule IDs in JWTs for verification to ensure correct rule application.
Also, avoid disabling secure defaults introduced in version 0.16.0 by not using insecure flags like --insecure or --insecure-skip-secure-default-rule-enforcement.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Heimdall allows for potential unauthorized access due to case-sensitive host matching, which can lead to policy bypasses if an adversary exploits differences in letter casing in hostnames.
Such unauthorized access risks could impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.
If Heimdall is configured with overly permissive default rules, this vulnerability could allow attackers to access restricted data or functionality, potentially resulting in data breaches or unauthorized data exposure.
Therefore, failure to patch this vulnerability or to properly configure Heimdall could lead to non-compliance with regulatory requirements related to data security and privacy.