CVE-2026-32811

Exploit

EPSS 0.3%
Veröffentlicht 20.03.2026 02:16:34
Zuletzt bearbeitet 30.03.2026 15:01:22
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Heimdall: Path received via Envoy gRPC corrupted when containing query string

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. When using Heimdall in envoy gRPC decision API mode with versions 0.7.0-alpha through 0.17.10, wrong encoding of the query URL string allows rules with non-wildcard path expressions to be bypassed. Envoy splits the requested URL into parts, and sends the parts individually to Heimdall. Although query and path are present in the API, the query field is documented to be always empty and the URL query is included in the path field. The implementation uses go's url library to reconstruct the url which automatically encodes special characters in the path. As a consequence, a parameter like /mypath?foo=bar to Path is escaped into /mypath%3Ffoo=bar. Subsequently, a rule matching /mypath no longer matches and is bypassed. The issue can only lead to unintended access if Heimdall is configured with an "allow all" default rule. Since v0.16.0, Heimdall enforces secure defaults and refuses to start with such a configuration unless this enforcement is explicitly disabled, e.g. via --insecure-skip-secure-default-rule-enforcement or the broader --insecure flag. This issue has been fixed in version 0.17.11.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Dadrus ≫ Heimdall Version >= 0.7.0 < 0.17.11

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.3%	0.214

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
security-advisories@github.com	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/dadrus/heimdall/commit/50321b3007db1ccafdc6b1cfd6bdc3689c19a502

Patch

https://github.com/dadrus/heimdall/pull/3106

Patch

Issue Tracking

https://github.com/dadrus/heimdall/security/advisories/GHSA-r8x2-fhmf-6mxp

Vendor Advisory

Exploit

https://github.com/envoyproxy/envoy/blob/105b4acd422d67fcff908ec38d91c7676d079939/api/envoy/service/auth/v3/attribute_context.proto#L146-L147

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-32811

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-32811

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-32811

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-32811