CVE-2026-42274
Path Traversal in Heimdall Identity Aware Proxy
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dadrus | heimdall | to 0.17.14 (exc) |
| dadrus | heimdall | 0.17.14 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-436 | Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. |
| CWE-35 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42274 is a security vulnerability in Heimdall, a cloud native Identity Aware Proxy and Access Control Decision service. The issue arises because Heimdall performs rule matching on the raw, non-normalized request path, while downstream components normalize paths according to RFC 3986. This mismatch allows attackers to bypass access controls by using path traversal sequences such as /user/../admin or URL-encoded variants like /user/%2e%2e/admin. Heimdall authorizes the request based on the raw path, but downstream systems process a different, normalized path (e.g., /admin), potentially granting unauthorized access.
The vulnerability is classified under CWE-35 (Path Traversal) and CWE-436 (Interpretation Conflict). It affects Heimdall versions prior to 0.17.14 and has been patched by normalizing request paths and rejecting paths containing URL-encoded dots to prevent such attacks.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass Heimdall's access control rules by exploiting the difference between raw and normalized request paths. By sending specially crafted requests with path traversal sequences or encoded dot segments, an attacker might gain unauthorized access to restricted data or functionality.
Depending on the system configuration, especially when using free wildcards in access rules, this could lead to privilege escalation or unauthorized invocation of sensitive operations. The vulnerability has a high CVSS score of 7.8, indicating a significant risk due to its network-based exploitability and potential impact on confidentiality and integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for requests containing path traversal sequences or URL-encoded dot segments such as /user/../admin, /user/%2e%2e/admin, or /user/%2e%2e%2fadmin. These requests indicate attempts to exploit the path normalization discrepancy.
To detect such attempts on your system or network, you can search your web server or proxy logs for these patterns.
- Use grep or similar tools to find suspicious paths in logs, for example: grep -E '/user/\.\./admin|/user/%2e%2e/admin|/user/%2e%2e%2fadmin' /path/to/access.log
- Monitor HTTP requests for encoded dot segments (%2e or %2E) or encoded slashes (%2f) that may be used to bypass access controls.
Additionally, since Heimdall prior to version 0.17.14 does not normalize paths, you can test your Heimdall instance by sending crafted requests with path traversal sequences and observe if unauthorized access is granted.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Heimdall to version 0.17.14 or later, where the vulnerability has been patched by normalizing request paths and rejecting requests with URL-encoded dot segments.
If upgrading is not immediately possible, you can mitigate the risk by normalizing paths before they reach Heimdall or configuring Heimdall to reject paths containing relative expressions or encoded dots.
Another mitigation is to include rule IDs in JWTs for downstream validation to ensure authorization decisions are consistent.
Also, review and restrict the use of free wildcards in path rules (e.g., /user/** or /public/**) to reduce exposure.
Ensure that the configuration option allow_encoded_slashes is set to reject encoded slashes unless explicitly required and safe.
Finally, verify that trusted proxies and X-Forwarded-* headers are securely configured to prevent spoofing and privilege escalation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Heimdall allows attackers to bypass access controls by exploiting path normalization mismatches, potentially granting unauthorized access to restricted data or functionality.
Such unauthorized access can lead to breaches of confidentiality and integrity, which are critical concerns under compliance frameworks like GDPR and HIPAA that mandate strict access controls and protection of sensitive data.
Therefore, if exploited, this vulnerability could result in non-compliance with these regulations due to unauthorized data exposure or privilege escalation.