Description
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw (non-normalized) request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy can result in heimdall authorizing a request for one path (e.g., /user/../admin, or URL-encoded variants such as /user/%2e%2e/admin or /user/%2e%2e%2fadmin. The latter would require the allow_encoded_slashes option to be set to on or no_decode.) while the downstream ultimately processes a different, normalized path (/admin). This issue has been patched in version 0.17.14.
INFO
Published Date :
2026-05-08T03:43:41.597Z
Last Modified :
2026-05-08T03:43:41.597Z
Source :
GitHub_M
AFFECTED PRODUCTS
The following products are affected by CVE-2026-42274 vulnerability.
| Vendors | Products |
|---|---|
| Dadrus |
|
REFERENCES
Here, you will find a curated list of external links that provide in-depth information to CVE-2026-42274.
