CVE-2026-42272

Name of the Vulnerable Software and Affected Versions Heimdall versions prior to 0.17.14

Description Heimdall handles URL-encoded slashes (%2F) in a case-sensitive manner, whereas percent-encoding is defined as case-insensitive. When the allow encoded slashes variable is set to off (the default setting), the lowercase equivalent (%2f) is not recognized or processed as expected. This discrepancy can cause request paths to be interpreted differently by Heimdall and upstream components, potentially leading to authorization bypass. This occurs if the default rule is overly permissive, allowing a request like /admin%2fsecret to bypass specific path rules and be processed by the upstream service as /admin/secret. Such a bypass may allow unauthorized access to restricted data, invocation of protected functionality, or privilege escalation.

Recommendations Update to version 0.17.14. Avoid using the --insecure or --insecure-skip-secure-default-rule-enforcement flags and configure the default rule to implement a deny-by-default policy. Reject HTTP paths containing encoded slashes in the network layers positioned in front of the service. Include the ID of the rule expected to be executed in the JWT issued by the service and verify that value in the project service.