CVE-2026-42272

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded slashes (%2F) in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent (%2f) is not recognized and therefore not processed as expected when allow_encoded_slashes is set to off (the default setting). This discrepancy can lead to differences in how request paths are interpreted by heimdall and upstream components, which may result in authorization bypass. This issue has been patched in version 0.17.14.

CVSS

No CVSS.

References

Link	Resource
https://github.com/dadrus/heimdall/commit/8b0de6aba23a047cfee3081df878271bb17f4351
https://github.com/dadrus/heimdall/pull/3207
https://github.com/dadrus/heimdall/releases/tag/v0.17.14
https://github.com/dadrus/heimdall/security/advisories/GHSA-43jv-5j4x-qv67

Configurations

No configuration.

History

08 May 2026, 04:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-08 04:16

Updated : 2026-05-08 16:03

NVD link : CVE-2026-42272

Mitre link : CVE-2026-42272

CVE.ORG link : CVE-2026-42272

JSON object : View

Products Affected

No product.

CWE

CWE-178

Improper Handling of Case Sensitivity

CWE-436

Interpretation Conflict

{"id": "CVE-2026-42272", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-05-08T04:16:22.013", "references": [{"url": "https://github.com/dadrus/heimdall/commit/8b0de6aba23a047cfee3081df878271bb17f4351", "source": "security-advisories@github.com"}, {"url": "https://github.com/dadrus/heimdall/pull/3207", "source": "security-advisories@github.com"}, {"url": "https://github.com/dadrus/heimdall/releases/tag/v0.17.14", "source": "security-advisories@github.com"}, {"url": "https://github.com/dadrus/heimdall/security/advisories/GHSA-43jv-5j4x-qv67", "source": "security-advisories@github.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-178"}, {"lang": "en", "value": "CWE-436"}]}], "descriptions": [{"lang": "en", "value": "Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded slashes (%2F) in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent (%2f) is not recognized and therefore not processed as expected when allow_encoded_slashes is set to off (the default setting). This discrepancy can lead to differences in how request paths are interpreted by heimdall and upstream components, which may result in authorization bypass. This issue has been patched in version 0.17.14."}], "lastModified": "2026-05-08T16:03:26.693", "sourceIdentifier": "security-advisories@github.com"}