CVE-2026-42274
Deferred Deferred - Pending Action
Path Traversal in Heimdall Identity Aware Proxy

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw (non-normalized) request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy can result in heimdall authorizing a request for one path (e.g., /user/../admin, or URL-encoded variants such as /user/%2e%2e/admin or /user/%2e%2e%2fadmin. The latter would require the allow_encoded_slashes option to be set to on or no_decode.) while the downstream ultimately processes a different, normalized path (/admin). This issue has been patched in version 0.17.14.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42274
EUVD
EUVD-2026-28510
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
dadrus heimdall to 0.17.14 (exc)
dadrus heimdall 0.17.14
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-35 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.
CWE-436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42274 is a security vulnerability in Heimdall, a cloud native Identity Aware Proxy and Access Control Decision service. The issue arises because Heimdall performs rule matching on the raw, non-normalized request path, while downstream components normalize paths according to RFC 3986. This mismatch allows attackers to bypass access controls by using path traversal sequences such as /user/../admin or URL-encoded variants like /user/%2e%2e/admin. Heimdall authorizes the request based on the raw path, but downstream systems process a different, normalized path (e.g., /admin), potentially granting unauthorized access.

The vulnerability is classified under CWE-35 (Path Traversal) and CWE-436 (Interpretation Conflict). It affects Heimdall versions prior to 0.17.14 and has been patched by normalizing request paths and rejecting paths containing URL-encoded dots to prevent such attacks.

Impact Analysis

This vulnerability can allow an attacker to bypass Heimdall's access control rules by exploiting the difference between raw and normalized request paths. By sending specially crafted requests with path traversal sequences or encoded dot segments, an attacker might gain unauthorized access to restricted data or functionality.

Depending on the system configuration, especially when using free wildcards in access rules, this could lead to privilege escalation or unauthorized invocation of sensitive operations. The vulnerability has a high CVSS score of 7.8, indicating a significant risk due to its network-based exploitability and potential impact on confidentiality and integrity.

Detection Guidance

This vulnerability can be detected by monitoring for requests containing path traversal sequences or URL-encoded dot segments such as /user/../admin, /user/%2e%2e/admin, or /user/%2e%2e%2fadmin. These requests indicate attempts to exploit the path normalization discrepancy.

To detect such attempts on your system or network, you can search your web server or proxy logs for these patterns.

  • Use grep or similar tools to find suspicious paths in logs, for example: grep -E '/user/\.\./admin|/user/%2e%2e/admin|/user/%2e%2e%2fadmin' /path/to/access.log
  • Monitor HTTP requests for encoded dot segments (%2e or %2E) or encoded slashes (%2f) that may be used to bypass access controls.

Additionally, since Heimdall prior to version 0.17.14 does not normalize paths, you can test your Heimdall instance by sending crafted requests with path traversal sequences and observe if unauthorized access is granted.

Mitigation Strategies

Immediate mitigation steps include upgrading Heimdall to version 0.17.14 or later, where the vulnerability has been patched by normalizing request paths and rejecting requests with URL-encoded dot segments.

If upgrading is not immediately possible, you can mitigate the risk by normalizing paths before they reach Heimdall or configuring Heimdall to reject paths containing relative expressions or encoded dots.

Another mitigation is to include rule IDs in JWTs for downstream validation to ensure authorization decisions are consistent.

Also, review and restrict the use of free wildcards in path rules (e.g., /user/** or /public/**) to reduce exposure.

Ensure that the configuration option allow_encoded_slashes is set to reject encoded slashes unless explicitly required and safe.

Finally, verify that trusted proxies and X-Forwarded-* headers are securely configured to prevent spoofing and privilege escalation.

Compliance Impact

The vulnerability in Heimdall allows attackers to bypass access controls by exploiting path normalization mismatches, potentially granting unauthorized access to restricted data or functionality.

Such unauthorized access can lead to breaches of confidentiality and integrity, which are critical concerns under compliance frameworks like GDPR and HIPAA that mandate strict access controls and protection of sensitive data.

Therefore, if exploited, this vulnerability could result in non-compliance with these regulations due to unauthorized data exposure or privilege escalation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42274. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart