216.73.217.22

CVE-2026-42274

· Published 08/05/2026 04:16 · Modified 08/05/2026 16:03

Labels: CVE-2026-42274 2026-05-08CVE-2026-42274CWE-35[email protected]

Essential information

Published
08/05/2026 04:16
Modified
08/05/2026 16:03
Author
Creator
CVSS
7.8 HIGH (v3) 7.8 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw (non-normalized) request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy can result in heimdall authorizing a request for one path (e.g., /user/../admin, or URL-encoded variants such as /user/%2e%2e/admin or /user/%2e%2e%2fadmin. The latter would require the allow_encoded_slashes option to be set to on or no_decode.) while the downstream ultimately processes a different, normalized path (/admin). This issue has been patched in version 0.17.14.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
heimdall / heimdall cpe:2.3:a:heimdall:heimdall:<0.17.14:*:*:*:*:*:*:*

References