CVE-2026-42273
Heimdall: Case-sensitive host matching may lead to policy bypass
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are case-insensitive. This discrepancy can result in heimdall failing to match a rule for a request host that differs only in letter casing, potentially causing the request to be classified differently than intended. This issue has been patched in version 0.17.14.
| CWE | CWE-436 CWE-178 |
| Vendor | dadrus |
| Product | heimdall |
| Published | May 8, 2026 |
| Last Updated | May 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for dadrus heimdall
Be the first to know when new unknown vulnerabilities affecting dadrus heimdall are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
dadrus / heimdall
< 0.17.14
References
github.com: https://github.com/dadrus/heimdall/security/advisories/GHSA-72h4-mxfc-jx37 github.com: https://github.com/dadrus/heimdall/pull/3208 github.com: https://github.com/dadrus/heimdall/commit/3d05e56a9e7ef0355f17482b4322054af4e85943 github.com: https://github.com/dadrus/heimdall/releases/tag/v0.17.14