—
GO-2026-5097
Heimdall has an authorization bypass via path normalization mismatch in github.com/dadrus/heimdall
Details
Heimdall has an authorization bypass via path normalization mismatch in github.com/dadrus/heimdall
Are you affected?
Enter the version of the package you're using.
Affected packages
Go / github.com/dadrus/heimdall
Introduced in:
0 Fixed in: 0.17.14 Fix
go get github.com/dadrus/heimdall@v0.17.14 References
- https://github.com/dadrus/heimdall/security/advisories/GHSA-3q34-rx83-r6mq [ADVISORY]
- https://nvd.nist.gov/vuln/detail/CVE-2026-42274 [ADVISORY]
- https://github.com/dadrus/heimdall/commit/b5dfa484b7a8c2ce6d8691c026f9da867719947a [FIX]
- https://github.com/dadrus/heimdall/pull/3209 [FIX]
- https://github.com/dadrus/heimdall/releases/tag/v0.17.14 [WEB]
- https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path [WEB]