CVE-2026-42273: CWE-436: Interpretation Conflict in dadrus heimdall
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are case-insensitive. This discrepancy can result in heimdall failing to match a rule for a request host that differs only in letter casing, potentially causing the request to be classified differently than intended. This issue has been patched in version 0.17.14.
AI Analysis
Technical Summary
Heimdall, a cloud native Identity Aware Proxy and Access Control Decision service, had a vulnerability (CVE-2026-42273) due to case-sensitive host matching prior to version 0.17.14. Since HTTP hostnames are case-insensitive, this discrepancy could cause heimdall to misclassify requests whose hostnames differ only in letter casing. This is classified under CWE-436 (Interpretation Conflict) and CWE-178 (Improper Neutralization). The vulnerability has been patched in version 0.17.14. The CVSS 4.0 score is 7.8, indicating high severity, with network attack vector, low attack complexity, no privileges or user interaction required, but with high scope and impact on confidentiality, integrity, and availability.
Potential Impact
Requests with hostnames differing only by letter case may be incorrectly classified by heimdall, potentially leading to unintended access control decisions. This could affect the security posture by allowing or denying access improperly. No known exploits are reported in the wild. The impact affects confidentiality, integrity, and availability as per the CVSS vector.
Mitigation Recommendations
Upgrade heimdall to version 0.17.14 or later, where this case sensitivity issue in host matching has been fixed. No other mitigation is indicated or required.
CVE-2026-42273: CWE-436: Interpretation Conflict in dadrus heimdall
Description
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are case-insensitive. This discrepancy can result in heimdall failing to match a rule for a request host that differs only in letter casing, potentially causing the request to be classified differently than intended. This issue has been patched in version 0.17.14.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Heimdall, a cloud native Identity Aware Proxy and Access Control Decision service, had a vulnerability (CVE-2026-42273) due to case-sensitive host matching prior to version 0.17.14. Since HTTP hostnames are case-insensitive, this discrepancy could cause heimdall to misclassify requests whose hostnames differ only in letter casing. This is classified under CWE-436 (Interpretation Conflict) and CWE-178 (Improper Neutralization). The vulnerability has been patched in version 0.17.14. The CVSS 4.0 score is 7.8, indicating high severity, with network attack vector, low attack complexity, no privileges or user interaction required, but with high scope and impact on confidentiality, integrity, and availability.
Potential Impact
Requests with hostnames differing only by letter case may be incorrectly classified by heimdall, potentially leading to unintended access control decisions. This could affect the security posture by allowing or denying access improperly. No known exploits are reported in the wild. The impact affects confidentiality, integrity, and availability as per the CVSS vector.
Mitigation Recommendations
Upgrade heimdall to version 0.17.14 or later, where this case sensitivity issue in host matching has been fixed. No other mitigation is indicated or required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-26T11:53:27.707Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fd5dbdcbff5d86108b646d
Added to database: 5/8/2026, 3:51:25 AM
Last enriched: 5/8/2026, 4:06:33 AM
Last updated: 5/9/2026, 6:19:13 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.