CVE-2026-42273

Name of the Vulnerable Software and Affected Versions Heimdall versions prior to 0.17.14

Description Heimdall performs host matching in a case-sensitive manner, which conflicts with the case-insensitive nature of HTTP hostnames. This discrepancy allows a request host that differs only in letter casing to fail rule matching, potentially causing the request to be classified differently than intended. If the service is configured with a permissive default rule—which may occur if secure defaults are disabled via the --insecure or --insecure-skip-secure-default-rule-enforcement flags—this can lead to a bypass of access control policies. Such a bypass may result in unauthorized access to restricted data, invocation of protected functionality, or privilege escalation.

Recommendations Update to version 0.17.14. Normalize request hosts to lowercase in the layers preceding Heimdall. Avoid configuring permissive default rules and refrain from using the --insecure or --insecure-skip-secure-default-rule-enforcement flags. When using regex for host matching, define expressions in a case-insensitive manner, such as (?i)^admin.example.com$. Include the expected rule ID in the JWT issued by Heimdall and verify this value within the consuming project's service.