CVE-2026-42273
Deferred Deferred - Pending Action
Host Header Case Sensitivity Bypass in Heimdall

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are case-insensitive. This discrepancy can result in heimdall failing to match a rule for a request host that differs only in letter casing, potentially causing the request to be classified differently than intended. This issue has been patched in version 0.17.14.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42273
EUVD
EUVD-2026-28509
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dadrus heimdall to 0.17.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-178 The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.
CWE-436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42273 is a vulnerability in Heimdall, a cloud native Identity Aware Proxy and Access Control Decision service, where host matching is done in a case-sensitive manner despite HTTP hostnames being case-insensitive.

This mismatch means that if a request's Host header differs only in letter casing from a configured rule, Heimdall may fail to match the rule correctly. This can cause requests to be classified differently than intended, potentially bypassing access controls.

For example, if a rule is set for "admin.example.com" but a request comes in with "Admin.Example.Com", Heimdall might not recognize it as the same host. If a default rule is permissive, this can allow unauthorized access or privilege escalation.

The issue was fixed by normalizing hostnames to lowercase before matching, ensuring compliance with the case-insensitivity of HTTP hostnames.

Impact Analysis

This vulnerability can lead to unauthorized access if Heimdall is configured with a permissive default rule that allows access when no specific host rule matches.

An attacker can exploit the case-sensitive matching by sending requests with Host headers that differ only in case from the intended rules, potentially bypassing access controls.

This could result in privilege escalation or exposure of restricted data and functionality, depending on the configuration and features exposed by Heimdall.

If no default rule is set, the request may simply result in a 404 error, but if a default rule is overly permissive, the risk is significant.

Detection Guidance

This vulnerability can be detected by checking if Heimdall is performing case-sensitive host matching, which can cause requests with Host headers differing only in letter casing to bypass intended rules.

One way to detect this on your system is to send HTTP requests with Host headers that differ only in case from the configured rules and observe if the requests are matched or if they bypass access controls.

For example, if your rule is configured for "admin.example.com", try sending a request with the Host header set to "Admin.Example.Com" and see if the request is handled differently or bypasses restrictions.

You can use curl commands to test this behavior:

  • curl -H "Host: admin.example.com" https://your-heimdall-instance/
  • curl -H "Host: Admin.Example.Com" https://your-heimdall-instance/

If the responses differ in access control enforcement or status codes, it indicates the vulnerability may be present.

Mitigation Strategies

Immediate mitigation steps include updating Heimdall to version 0.17.14 or later, where the vulnerability has been fixed by normalizing hostnames to lowercase before rule matching.

If updating immediately is not possible, consider the following mitigations:

  • Avoid using permissive default rules that allow anonymous access, as these can be exploited if host matching fails.
  • Normalize incoming request hosts to lowercase before processing in your configuration or proxy layer.
  • Use case-insensitive regex patterns for host matching rules.
  • Include rule IDs in JWTs for verification to ensure correct rule application.

Also, avoid disabling secure defaults introduced in version 0.16.0 by not using insecure flags like --insecure or --insecure-skip-secure-default-rule-enforcement.

Compliance Impact

The vulnerability in Heimdall allows for potential unauthorized access due to case-sensitive host matching, which can lead to policy bypasses if an adversary exploits differences in letter casing in hostnames.

Such unauthorized access risks could impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.

If Heimdall is configured with overly permissive default rules, this vulnerability could allow attackers to access restricted data or functionality, potentially resulting in data breaches or unauthorized data exposure.

Therefore, failure to patch this vulnerability or to properly configure Heimdall could lead to non-compliance with regulatory requirements related to data security and privacy.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42273. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart