CVE-2026-42274
Heimdall: Authorization bypass via path normalization mismatch
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw (non-normalized) request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy can result in heimdall authorizing a request for one path (e.g., /user/../admin, or URL-encoded variants such as /user/%2e%2e/admin or /user/%2e%2e%2fadmin. The latter would require the allow_encoded_slashes option to be set to on or no_decode.) while the downstream ultimately processes a different, normalized path (/admin). This issue has been patched in version 0.17.14.
| CWE | CWE-35 CWE-436 |
| Vendor | dadrus |
| Product | heimdall |
| Published | May 8, 2026 |
Get instant alerts for dadrus heimdall
Be the first to know when new unknown vulnerabilities affecting dadrus heimdall are published โ delivered to Slack, Telegram or Discord.