CVE-2026-32811

{"id": "CVE-2026-32811", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.2, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-20T02:16:34.857", "references": [{"url": "https://github.com/dadrus/heimdall/commit/50321b3007db1ccafdc6b1cfd6bdc3689c19a502", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/dadrus/heimdall/pull/3106", "tags": ["Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/dadrus/heimdall/security/advisories/GHSA-r8x2-fhmf-6mxp", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/envoyproxy/envoy/blob/105b4acd422d67fcff908ec38d91c7676d079939/api/envoy/service/auth/v3/attribute_context.proto#L146-L147", "tags": ["Patch"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-116"}, {"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. When using Heimdall in envoy gRPC decision API mode with versions 0.7.0-alpha through 0.17.10, wrong encoding of the query URL string allows rules with non-wildcard path expressions to be bypassed. Envoy splits the requested URL into parts, and sends the parts individually to Heimdall. Although query and path are present in the API, the query field is documented to be always empty and the URL query is included in the path field. The implementation uses go's url library to reconstruct the url which automatically encodes special characters in the path. As a consequence, a parameter like /mypath?foo=bar to Path is escaped into /mypath%3Ffoo=bar. Subsequently, a rule matching /mypath no longer matches and is bypassed. The issue can only lead to unintended access if Heimdall is configured with an \"allow all\" default rule. Since v0.16.0, Heimdall enforces secure defaults and refuses to start with such a configuration unless this enforcement is explicitly disabled, e.g. via --insecure-skip-secure-default-rule-enforcement or the broader --insecure flag. This issue has been fixed in version 0.17.11."}, {"lang": "es", "value": "Heimdall es un Proxy Consciente de la Identidad y un servicio de decisi\u00f3n de control de acceso nativo de la nube. Al usar Heimdall en modo API de decisi\u00f3n gRPC de Envoy con las versiones 0.7.0-alpha hasta 0.17.10, una codificaci\u00f3n incorrecta de la cadena de URL de consulta permite que se eludan reglas con expresiones de ruta sin comodines. Envoy divide la URL solicitada en partes y env\u00eda las partes individualmente a Heimdall. Aunque la consulta y la ruta est\u00e1n presentes en la API, el campo de consulta est\u00e1 documentado para estar siempre vac\u00edo y la consulta de la URL se incluye en el campo de ruta. La implementaci\u00f3n utiliza la biblioteca url de Go para reconstruir la URL, lo que codifica autom\u00e1ticamente los caracteres especiales en la ruta. Como consecuencia, un par\u00e1metro como /mypath?foo=bar a Path se escapa a /mypath%3Ffoo=bar. Posteriormente, una regla que coincide con /mypath ya no coincide y es eludida. El problema solo puede conducir a un acceso no intencionado si Heimdall est\u00e1 configurado con una regla predeterminada de 'permitir todo'. Desde la v0.16.0, Heimdall aplica valores predeterminados seguros y se niega a iniciar con dicha configuraci\u00f3n a menos que esta aplicaci\u00f3n se deshabilite expl\u00edcitamente, p. ej., a trav\u00e9s de --insecure-skip-secure-default-rule-enforcement o la bandera m\u00e1s amplia --insecure. Este problema ha sido solucionado en la versi\u00f3n 0.17.11."}], "lastModified": "2026-03-30T15:01:22.760", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dadrus:heimdall:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7FC50B38-5B44-4237-B80D-7C6BC29FFC0C", "versionEndExcluding": "0.17.11", "versionStartIncluding": "0.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}