CVE-2026-32811

Name of the Vulnerable Software and Affected Versions Heimdall versions 0.7.0-alpha through 0.17.10

Description Heimdall, a cloud native Identity Aware Proxy and Access Control Decision service, contains an issue where incorrect encoding of the query URL string can allow bypass of rules with non-wildcard path expressions when used in envoy gRPC decision API mode. Envoy splits the requested URL into parts and sends them individually to Heimdall. The query field is documented as always being empty, with the URL query included in the path field. The implementation uses the go URL library to reconstruct the URL, which automatically encodes special characters in the path. This results in parameters like /mypath?foo=bar being escaped to /mypath%3Ffoo=bar, causing rules matching /mypath to no longer match and be bypassed. This issue can only lead to unintended access if Heimdall is configured with an "allow all" default rule. The vulnerable component is the URL reconstruction process within the request context.go file. The API endpoint involved is the gRPC decision API. The vulnerable parameter is Path.

Recommendations Update to Heimdall version 0.17.11 or later.