CVE-2026-42272: CWE-436: Interpretation Conflict in dadrus heimdall
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded slashes (%2F) in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent (%2f) is not recognized and therefore not processed as expected when allow_encoded_slashes is set to off (the default setting). This discrepancy can lead to differences in how request paths are interpreted by heimdall and upstream components, which may result in authorization bypass. This issue has been patched in version 0.17.14.
AI Analysis
Technical Summary
Heimdall, a cloud native Identity Aware Proxy and Access Control Decision service, had a vulnerability (CVE-2026-42272) where it handled URL-encoded slashes (%2F) case-sensitively, contrary to the percent-encoding standard which is case-insensitive. Specifically, the lowercase %2f was not recognized when allow_encoded_slashes was set to off, causing inconsistent request path interpretation between heimdall and upstream components. This inconsistency could be exploited to bypass authorization controls. The vulnerability affects versions before 0.17.14 and was patched in that release.
Potential Impact
The vulnerability can cause authorization bypass due to inconsistent interpretation of URL-encoded slashes between heimdall and upstream components. This may allow unauthorized access to protected resources or services. The CVSS 4.0 score is 7.8 (high severity), indicating a significant risk if exploited. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade heimdall to version 0.17.14 or later, where this issue is patched. Since this is not a cloud service, users must apply the update themselves. Patch status is confirmed by the vendor's versioning information. No other mitigation is indicated.
CVE-2026-42272: CWE-436: Interpretation Conflict in dadrus heimdall
Description
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded slashes (%2F) in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent (%2f) is not recognized and therefore not processed as expected when allow_encoded_slashes is set to off (the default setting). This discrepancy can lead to differences in how request paths are interpreted by heimdall and upstream components, which may result in authorization bypass. This issue has been patched in version 0.17.14.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Heimdall, a cloud native Identity Aware Proxy and Access Control Decision service, had a vulnerability (CVE-2026-42272) where it handled URL-encoded slashes (%2F) case-sensitively, contrary to the percent-encoding standard which is case-insensitive. Specifically, the lowercase %2f was not recognized when allow_encoded_slashes was set to off, causing inconsistent request path interpretation between heimdall and upstream components. This inconsistency could be exploited to bypass authorization controls. The vulnerability affects versions before 0.17.14 and was patched in that release.
Potential Impact
The vulnerability can cause authorization bypass due to inconsistent interpretation of URL-encoded slashes between heimdall and upstream components. This may allow unauthorized access to protected resources or services. The CVSS 4.0 score is 7.8 (high severity), indicating a significant risk if exploited. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade heimdall to version 0.17.14 or later, where this issue is patched. Since this is not a cloud service, users must apply the update themselves. Patch status is confirmed by the vendor's versioning information. No other mitigation is indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-26T11:53:27.707Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fd5dbdcbff5d86108b6467
Added to database: 5/8/2026, 3:51:25 AM
Last enriched: 5/8/2026, 4:06:38 AM
Last updated: 5/9/2026, 5:17:25 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.