CVE-2026-42274

Name of the Vulnerable Software and Affected Versions Heimdall versions prior to 0.17.14

Description Heimdall performs rule matching on the raw request path, whereas downstream components may normalize dot-segments according to RFC 3986. This discrepancy allows for the authorization of a request for one path (such as '/user/../admin' or URL-encoded variants like '/user/%2e%2e/admin') while the downstream service processes a different, normalized path (such as '/admin'). This can be exploited when rule matching uses wildcards without further constraints, potentially leading to the bypass of access control policies, unauthorized access to or modification of restricted data, invocation of protected functionality, or privilege escalation.

Recommendations Update to version 0.17.14. Normalize HTTP paths or reject paths containing relative path expressions in the layers preceding Heimdall. Include the ID of the rule expected to be executed in the JWT issued by Heimdall and verify that value in the consuming project's service.