CVE-2026-42274 - Heimdall policy interpretation bypass cluster

Heimdall versions before 0.17.14 contain a cluster of high-severity authorization bypass issues where Heimdall and upstream services can interpret the same HTTP request differently. The most important failure mode is a gateway authorizing one path, host, or encoded slash form while the downstream service processes another.

This matters for any repository that treats a gateway policy as the secure context boundary for agents, internal tools, admin routes, or tenant APIs. A request that falls through to a permissive default rule can reach a route that the product expects to require authentication or authorization.

When to use it

  • A repository deploys, builds, vendors, images, or configures Heimdall before 0.17.14.
  • Gateway policy protects admin, tenant, billing, repository, model, MCP, internal tool, or control-plane routes.
  • Proxies, meshes, downstream services, or frameworks may normalize paths, hosts, dot-segments, encoded slashes, or case differently than Heimdall.
  • You need a bounded PR or triage note that upgrades Heimdall, enforces deny-by-default policy, and aligns edge/downstream interpretation.

Inputs

  • Go modules, Heimdall binaries/images, Helm/K8s/Compose/Terraform artifacts, gateway policies, ingress/proxy config, service mesh config, SBOMs, generated manifests, and runbooks.
  • Sensitive route inventory, default rules, insecure flags, host/path matching, downstream normalization behavior, rule-ID propagation, logs, and rollout owners.
  • Available Go dependency checks, gateway policy tests, route authz tests, manifest render, container build, SBOM, and dependency/security scans.

Affected versions

  • Vulnerable: github.com/dadrus/heimdall <0.17.14
  • Fixed: github.com/dadrus/heimdall 0.17.14+
  • Related advisories covered by this prompt:
    • CVE-2026-42274 / GHSA-3q34-rx83-r6mq: raw path matching vs downstream dot-segment normalization.
    • CVE-2026-42273 / GHSA-72h4-mxfc-jx37: case-sensitive host matching even though HTTP hostnames are case-insensitive.
    • GHSA-43jv-5j4x-qv67: lowercase %2f handling can disagree with upstream path interpretation when encoded slashes are disabled.

Indicator-of-exposure

  • The repository builds, vendors, deploys, or documents Heimdall before 0.17.14.
  • Heimdall rules match protected routes with wildcards, host matches, encoded slash behavior, or route patterns that overlap with public/default rules.
  • Default behavior is permissive, or secure default enforcement is disabled with flags such as --insecure or --insecure-skip-secure-default-rule-enforcement.
  • A proxy, ingress, service mesh, app server, or framework downstream from Heimdall normalizes paths, decodes %2f, lowercases hosts, or collapses dot-segments differently than Heimdall.
  • Admin, tenant, billing, repository, model, or MCP routes depend on Heimdall as the primary authorization boundary.

Quick checks:

rg -n "dadrus/heimdall|heimdall|allow_encoded_slashes|insecure-skip-secure-default-rule-enforcement|--insecure|default rule|match:|routes:|hosts:" .
go list -m all | rg '^github.com/dadrus/heimdall'
rg -n "normalize_path|merge_slashes|allow_encoded_slashes|proxy_pass|PathPrefix|stripPrefix|rewrite|host_rewrite|x-forwarded-host" Dockerfile* docker-compose*.yml charts deploy k8s helm terraform nginx* envoy* traefik* .

Remediation strategy

  • Upgrade every controlled Heimdall dependency, binary, container image, and deployment reference to 0.17.14+.
  • Regenerate Go module state, image metadata, rendered manifests, SBOMs, and dependency reports.
  • Deny by default. Remove permissive fallback rules and do not use --insecure or --insecure-skip-secure-default-rule-enforcement unless there is an explicit security owner decision and compensating control.
  • Normalize or reject dangerous request forms before Heimdall: dot-segments, encoded dot-segments, encoded slashes, mixed-case encoded slashes, duplicated separators, and mixed-case hostnames.
  • Make host matching case-insensitive, or normalize hosts to lowercase before policy evaluation.
  • Include the expected Heimdall rule ID or route authorization context in the token/headers issued to the service, then have the downstream service verify it before serving sensitive routes.
  • Add regression tests for the exact interpretation gaps instead of testing only ordinary protected and public paths.

The prompt

You are remediating the Heimdall high-severity policy interpretation bypass
cluster: CVE-2026-42274 / GHSA-3q34-rx83-r6mq, CVE-2026-42273 /
GHSA-72h4-mxfc-jx37, and GHSA-43jv-5j4x-qv67. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades Heimdall, closes edge
  normalization gaps, adds policy regression coverage, and documents operator
  cleanup, or
- TRIAGE.md if this repository does not own an affected Heimdall deployment or
  cannot safely change the gateway policy.

## Rules

- Scope only this Heimdall authorization bypass cluster.
- Treat bearer tokens, cookies, JWT signing keys, gateway policy, tenant
  routes, admin URLs, service credentials, request logs, and model/API
  credentials as sensitive.
- Do not send bypass probes to production, staging, shared tenant systems, or
  internet-facing gateways.
- Do not prove exposure by accessing real protected data.
- Do not replace an authorization bypass with a broader permissive default
  rule.
- Do not auto-merge.

## Steps

1. Inventory every Heimdall asset controlled by this repository: Go modules,
   lockfiles, binary downloads, Dockerfiles, compose files, Helm charts,
   Kubernetes manifests, Terraform, service mesh or ingress config, generated
   SBOMs, and runbooks.
2. Determine every resolved Heimdall version. A target is vulnerable if it uses
   `github.com/dadrus/heimdall <0.17.14` or a Heimdall binary/image before the
   fixed release.
3. Search gateway policy and deployment config for risky conditions:
   wildcard route matches, host-based matches, permissive default rules,
   `--insecure`, `--insecure-skip-secure-default-rule-enforcement`,
   `allow_encoded_slashes`, route rewrites, upstream path normalization, and
   downstream services that normalize paths independently.
4. Map sensitive routes that depend on Heimdall: admin APIs, tenant data,
   billing routes, repository and build endpoints, model-provider access, MCP
   tool endpoints, and internal control-plane actions.
5. If this repository does not own Heimdall runtime or policy artifacts, stop
   with `TRIAGE.md` naming the files checked, likely runtime owner, fixed
   version `0.17.14+`, and the gateway rules that should be reviewed.
6. Upgrade Heimdall to `0.17.14+` everywhere this repository controls it.
   Regenerate module state, images, manifests, SBOMs, and dependency reports.
7. Enforce deny-by-default policy:
   - remove or harden permissive fallback/default rules;
   - remove insecure startup flags;
   - fail closed when no route rule matches;
   - avoid broad wildcard rules that can swallow normalized protected paths.
8. Add edge normalization or rejection before Heimdall where this repository
   controls it:
   - reject `..`, encoded dot-segments, mixed encoded dot-segments, and
     duplicated separator variants;
   - reject or consistently handle `%2f` and `%2F`;
   - lowercase hostnames before host matching;
   - align Envoy, Traefik, NGINX, app server, and service framework behavior.
9. Add downstream verification for sensitive services where practical:
   include the expected Heimdall rule ID or route authorization context in the
   token or trusted header, then reject requests whose downstream route does
   not match the authorized rule.
10. Add safe local tests using synthetic routes only:
    - `/public/../admin` and encoded variants cannot reach admin behavior;
    - `/admin%2fsecret` and `/admin%2Fsecret` are handled consistently;
    - mixed-case hostnames cannot fall through to an allow-all default;
    - wildcard public rules cannot authorize normalized protected paths;
    - downstream rule-ID verification rejects mismatches.
11. Add a PR body section named `Heimdall operator actions` that states:
    - Heimdall versions before and after the change;
    - whether permissive defaults or insecure flags were present;
    - which proxies or frameworks normalize paths or hosts;
    - which protected routes could have been reached through interpretation
      mismatch;
    - which gateway, access, audit, and service logs should be reviewed;
    - whether tokens, sessions, or service credentials require rotation.
12. Run relevant validation: Go dependency resolution, unit tests, gateway
    policy tests, route authorization tests, manifest rendering, container
    build, SBOM refresh, and dependency/security scans available here.
13. Use PR title:
    `fix(sec): remediate Heimdall policy interpretation bypass`.

## Stop conditions

- No Heimdall runtime, policy, binary, image, or deployment target is
  controlled by this repository.
- Gateway ownership is split and the repository cannot safely modify upstream
  normalization or default-rule behavior.
- Existing product behavior intentionally permits unauthenticated default
  access to routes that overlap protected paths; require a product/security
  decision.
- Verification would require probing real protected routes or reading tenant
  data.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Verification - what the reviewer looks for

  • No controlled Heimdall dependency, binary, image, SBOM, or deployment target remains below 0.17.14.
  • Gateway policy fails closed when no route matches.
  • Insecure startup flags and permissive default rules are removed or explicitly risk-accepted with compensating controls.
  • Tests cover dot-segment normalization, encoded slash casing, host casing, and downstream route-ID mismatch.
  • Operator actions identify impacted route classes, logs to review, and any session or credential rotation required.

Output contract

  • Reviewer-ready PR upgrading Heimdall to 0.17.14+ with refreshed modules, images, manifests, SBOMs, and reports.
  • Deny-by-default gateway policy with insecure flags removed or explicitly risk-accepted with compensating controls.
  • Synthetic route tests covering dot-segments, encoded slash casing, host casing, wildcard/default fallthrough, and downstream rule-ID mismatch.
  • TRIAGE.md when gateway runtime, normalization policy, downstream service checks, or log/credential follow-up is outside this repository.

Watch for

  • Updating Go modules while deployment images or Helm values still pin an old Heimdall binary.
  • Testing only ordinary /admin and /public paths while missing normalized variants.
  • Lowercasing hosts in one proxy while another edge path bypasses that proxy.
  • Leaving a catch-all anonymous default rule in place after the upgrade.
  • Treating gateway authorization as sufficient when downstream services normalize and route independently.

References