{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32811", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-16T17:35:36.696Z", "datePublished": "2026-03-20T01:52:08.415Z", "dateUpdated": "2026-03-20T01:52:08.415Z"}, "containers": {"cna": {"title": "Heimdall: Path received via Envoy gRPC corrupted when containing query string", "problemTypes": [{"descriptions": [{"cweId": "CWE-116", "lang": "en", "description": "CWE-116: Improper Encoding or Escaping of Output", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/dadrus/heimdall/security/advisories/GHSA-r8x2-fhmf-6mxp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dadrus/heimdall/security/advisories/GHSA-r8x2-fhmf-6mxp"}, {"name": "https://github.com/dadrus/heimdall/pull/3106", "tags": ["x_refsource_MISC"], "url": "https://github.com/dadrus/heimdall/pull/3106"}, {"name": "https://github.com/dadrus/heimdall/commit/50321b3007db1ccafdc6b1cfd6bdc3689c19a502", "tags": ["x_refsource_MISC"], "url": "https://github.com/dadrus/heimdall/commit/50321b3007db1ccafdc6b1cfd6bdc3689c19a502"}, {"name": "https://github.com/envoyproxy/envoy/blob/105b4acd422d67fcff908ec38d91c7676d079939/api/envoy/service/auth/v3/attribute_context.proto#L146-L147", "tags": ["x_refsource_MISC"], "url": "https://github.com/envoyproxy/envoy/blob/105b4acd422d67fcff908ec38d91c7676d079939/api/envoy/service/auth/v3/attribute_context.proto#L146-L147"}], "affected": [{"vendor": "dadrus", "product": "heimdall", "versions": [{"version": ">= 0.7.0-alpha, < 0.17.11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T01:52:08.415Z"}, "descriptions": [{"lang": "en", "value": "Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. When using Heimdall in envoy gRPC decision API mode with versions 0.7.0-alpha through 0.17.10, wrong encoding of the query URL string allows rules with non-wildcard path expressions to be bypassed. Envoy splits the requested URL into parts, and sends the parts individually to Heimdall. Although query and path are present in the API, the query field is documented to be always empty and the URL query is included in the path field. The implementation uses go's url library to reconstruct the url which automatically encodes special characters in the path. As a consequence, a parameter like /mypath?foo=bar to Path is escaped into /mypath%3Ffoo=bar. Subsequently, a rule matching /mypath no longer matches and is bypassed. The issue can only lead to unintended access if Heimdall is configured with an \"allow all\" default rule. Since v0.16.0, Heimdall enforces secure defaults and refuses to start with such a configuration unless this enforcement is explicitly disabled, e.g. via --insecure-skip-secure-default-rule-enforcement or the broader --insecure flag. This issue has been fixed in version 0.17.11."}], "source": {"advisory": "GHSA-r8x2-fhmf-6mxp", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. When using Heimdall in envoy gRPC decision API mode with versions 0.7.0-alpha through 0.17.10, wrong encoding of the query URL string allows rules with non-wildcard path expressions to be bypassed. Envoy splits the requested URL into parts, and sends the parts individually to Heimdall. Although query and path are present in the API, the query field is documented to be always empty and the URL query is included in the path field. The implementation uses go's url library to reconstruct the url which automatically encodes special characters in the path. As a consequence, a parameter like /mypath?foo=bar to Path is escaped into /mypath%3Ffoo=bar. Subsequently, a rule matching /mypath no longer matches and is bypassed. The issue can only lead to unintended access if Heimdall is configured with an \"allow all\" default rule. Since v0.16.0, Heimdall enforces secure defaults and refuses to start with such a configuration unless this enforcement is explicitly disabled, e.g. via --insecure-skip-secure-default-rule-enforcement or the broader --insecure flag. This issue has been fixed in version 0.17.11."}], "id": "CVE-2026-32811", "lastModified": "2026-03-20T02:16:34.857", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T02:16:34.857", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/dadrus/heimdall/commit/50321b3007db1ccafdc6b1cfd6bdc3689c19a502"}, {"source": "security-advisories@github.com", "url": "https://github.com/dadrus/heimdall/pull/3106"}, {"source": "security-advisories@github.com", "url": "https://github.com/dadrus/heimdall/security/advisories/GHSA-r8x2-fhmf-6mxp"}, {"source": "security-advisories@github.com", "url": "https://github.com/envoyproxy/envoy/blob/105b4acd422d67fcff908ec38d91c7676d079939/api/envoy/service/auth/v3/attribute_context.proto#L146-L147"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-116"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.7.0-alpha,0.17.11)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "heimdall", "source": "cna", "vendor": "dadrus"}, "product": "heimdall", "vendor": "dadrus"}], "analysis": {"en": {"generated_at": "2026-03-20T03:21:12.585540+00:00", "value": {"mitigation_remediation": ["Apply the latest Heimdall release (0.17.11 or newer) or any patch that includes the URL encoding fix.", "Ensure Heimdall is not started with the insecure flags (--insecure-skip-secure-default-rule-enforcement or --insecure) that disable the secure default enforcement.", "If upgrading is not immediately possible, configure a default rule that does not allow all traffic, or move to a stricter rule set that does not rely on wildcards or global allow\u2011all."], "summary": {"action": "Patch Immediately", "impact": "Bypass Access Control"}, "threat_synthesis": {"affected_systems": "Affected vendors: dadrus Heimdall. The flaw exists in Heimdall versions 0.7.0\u2011alpha through 0.17.10. Since version 0.16.0 the product enforces secure defaults and will refuse to start with an \"allow all\" configuration unless overridden explicitly with flags such as --insecure-skip-secure-default-rule-enforcement or the broader --insecure. The fix is applied in version 0.17.11 and later.", "description_and_impact": "Heimdall, a cloud\u2011native identity aware proxy, incorrectly encodes URLs that include a query string when processed via its Envoy gRPC decision API. The implementation uses Go's url library to reconstruct the URL, which encodes special characters in the path, turning a request such as /mypath?foo=bar into /mypath%3Ffoo=bar. Rules that explicitly match /mypath then fail to match, allowing the request to fall through to a default rule. The vulnerability is exploitable only if Heimdall is configured with an \"allow all\" default rule, leading to unintended access to protected resources. The weakness is a combination of improper encoding (CWE\u2011116) and improper application of constraints (CWE\u2011863).", "risk_and_exploitability": "The CVSS score of 8.2 indicates a high severity. EPSS data is not available, and the issue is not listed in the CISA KEV catalog. Exploitation requires sending a crafted path containing a query string to the Envoy gRPC decision API, which Heimdall will process improperly. Because the vulnerability only affects configurations that permit unrestricted access by default, its real\u2011world impact depends on the system\u2019s rule set. No public exploits have been reported, but the high CVSS score reflects the potential for privileged escalation if a relaxed rule set is in place."}}}}, "created": "2026-03-20T08:53:11.656062+00:00", "updated": "2026-03-20T10:43:05.025928+00:00", "vendors": ["dadrus", "dadrus$PRODUCT$heimdall"]}