Heimdall is a cloud-native Identity Aware Proxy and Access Control Decision service that integrates with Envoy via a gRPC decision API. In versions 0.7.0-alpha through 0.17.10, a vulnerability (CVE-2026-32811) exists due to improper encoding or escaping of output (CWE-116) affecting how URL paths are processed. Envoy splits the requested URL into components and sends them to Heimdall, where the query string is expected to be empty and the entire URL including the query is passed in the path field. Heimdall uses Go's URL library to reconstruct the URL path, which automatically percent-encodes special characters such as the question mark ('?'). For example, a path like '/mypath?foo=bar' becomes '/mypath%3Ffoo=bar'. This encoding causes path-based access control rules that match '/mypath' to fail, effectively bypassing those rules. However, this bypass only results in unintended access if Heimdall is configured with an 'allow all' default rule, which is insecure and disallowed by default since version 0.16.0 unless the enforcement is explicitly disabled via flags like --insecure-skip-secure-default-rule-enforcement or --insecure. The vulnerability has a CVSS 3.1 score of 8.2 (high severity), reflecting its network attack vector, low attack complexity, no privileges or user interaction required, and impact mainly on confidentiality and integrity. The issue was fixed in version 0.17.11 by correcting the URL handling logic to prevent rule bypass. No public exploits are known at this time.

This vulnerability can lead to unauthorized access to protected resources by bypassing path-based access control rules in Heimdall deployments using vulnerable versions. The primary impact is on confidentiality and integrity, as attackers may gain access to sensitive data or perform unauthorized actions by exploiting the URL encoding flaw. Availability is not affected. The risk is heightened in environments where Heimdall is misconfigured with an insecure 'allow all' default rule, which is discouraged and disabled by default in recent versions. Organizations relying on Heimdall for identity-aware proxying and access control, especially in cloud-native and microservices architectures, could face data exposure or privilege escalation if vulnerable versions are deployed with insecure configurations. Since no authentication or user interaction is required, remote attackers can exploit this vulnerability over the network, increasing the threat surface. Although no known exploits exist in the wild yet, the high CVSS score and ease of exploitation warrant prompt remediation.

Organizations should immediately upgrade Heimdall to version 0.17.11 or later, where the vulnerability is fixed. Until upgrading, ensure that Heimdall is not configured with an 'allow all' default rule; verify that secure default rule enforcement is enabled and that flags like --insecure or --insecure-skip-secure-default-rule-enforcement are not used. Review and audit access control policies to confirm that path-based rules are correctly defined and enforced. Implement network-level protections such as firewall rules and API gateway filters to restrict access to Heimdall services. Monitor logs for anomalous access patterns that may indicate attempts to exploit URL encoding bypasses. Consider deploying Web Application Firewalls (WAFs) capable of detecting suspicious URL encodings. Finally, incorporate this vulnerability into vulnerability management and patching workflows to ensure timely updates of Heimdall and related components.