CVE-2026-42272

UNKNOWN 0.0

Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

13th

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded slashes (%2F) in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent (%2f) is not recognized and therefore not processed as expected when allow_encoded_slashes is set to off (the default setting). This discrepancy can lead to differences in how request paths are interpreted by heimdall and upstream components, which may result in authorization bypass. This issue has been patched in version 0.17.14.

CWE	CWE-436 CWE-178
Vendor	dadrus
Product	heimdall
Published	May 8, 2026
Last Updated	May 8, 2026

Stay Ahead of the Next One

Get instant alerts for dadrus heimdall

Be the first to know when new unknown vulnerabilities affecting dadrus heimdall are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

dadrus / heimdall

< 0.17.14

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/dadrus/heimdall/security/advisories/GHSA-43jv-5j4x-qv67 github.com: https://github.com/dadrus/heimdall/pull/3207 github.com: https://github.com/dadrus/heimdall/commit/8b0de6aba23a047cfee3081df878271bb17f4351 github.com: https://github.com/dadrus/heimdall/releases/tag/v0.17.14