CVE-2026-42274: CWE-35: Path Traversal: '.../...//' in dadrus heimdall
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw (non-normalized) request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy can result in heimdall authorizing a request for one path (e.g., /user/../admin, or URL-encoded variants such as /user/%2e%2e/admin or /user/%2e%2e%2fadmin. The latter would require the allow_encoded_slashes option to be set to on or no_decode.) while the downstream ultimately processes a different, normalized path (/admin). This issue has been patched in version 0.17.14.
AI Analysis
Technical Summary
Heimdall, a cloud native Identity Aware Proxy and Access Control Decision service, prior to version 0.17.14, performs rule matching on the raw, non-normalized request path. Downstream components normalize dot-segments per RFC 3986 Section 6.2.2.3, leading to a discrepancy where Heimdall authorizes a request for a path like /user/../admin or its encoded variants, but the downstream processes the normalized path /admin. This path traversal vulnerability (CWE-35) can result in unauthorized access. The vulnerability is addressed in Heimdall version 0.17.14.
Potential Impact
An attacker can exploit this vulnerability to bypass access controls by crafting requests with path traversal sequences or encoded equivalents, causing Heimdall to authorize access to resources that should be restricted. This can lead to unauthorized access to sensitive paths or functionality within the application environment protected by Heimdall.
Mitigation Recommendations
Upgrade Heimdall to version 0.17.14 or later, where this path traversal vulnerability has been patched. Patch status is confirmed by the vendor advisory indicating the fix in version 0.17.14. No other mitigation is specified or required.
CVE-2026-42274: CWE-35: Path Traversal: '.../...//' in dadrus heimdall
Description
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw (non-normalized) request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy can result in heimdall authorizing a request for one path (e.g., /user/../admin, or URL-encoded variants such as /user/%2e%2e/admin or /user/%2e%2e%2fadmin. The latter would require the allow_encoded_slashes option to be set to on or no_decode.) while the downstream ultimately processes a different, normalized path (/admin). This issue has been patched in version 0.17.14.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Heimdall, a cloud native Identity Aware Proxy and Access Control Decision service, prior to version 0.17.14, performs rule matching on the raw, non-normalized request path. Downstream components normalize dot-segments per RFC 3986 Section 6.2.2.3, leading to a discrepancy where Heimdall authorizes a request for a path like /user/../admin or its encoded variants, but the downstream processes the normalized path /admin. This path traversal vulnerability (CWE-35) can result in unauthorized access. The vulnerability is addressed in Heimdall version 0.17.14.
Potential Impact
An attacker can exploit this vulnerability to bypass access controls by crafting requests with path traversal sequences or encoded equivalents, causing Heimdall to authorize access to resources that should be restricted. This can lead to unauthorized access to sensitive paths or functionality within the application environment protected by Heimdall.
Mitigation Recommendations
Upgrade Heimdall to version 0.17.14 or later, where this path traversal vulnerability has been patched. Patch status is confirmed by the vendor advisory indicating the fix in version 0.17.14. No other mitigation is specified or required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-26T11:53:27.707Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fd5dc1cbff5d86108b6498
Added to database: 5/8/2026, 3:51:29 AM
Last enriched: 5/8/2026, 4:06:26 AM
Last updated: 5/9/2026, 5:23:11 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.