Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-42272— Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation

EPSS 0.04% · P13
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-42272

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation
Source: NVD (National Vulnerability Database)
Vulnerability Description
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded slashes (%2F) in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent (%2f) is not recognized and therefore not processed as expected when allow_encoded_slashes is set to off (the default setting). This discrepancy can lead to differences in how request paths are interpreted by heimdall and upstream components, which may result in authorization bypass. This issue has been patched in version 0.17.14.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
解释冲突
Source: NVD (National Vulnerability Database)
Vulnerability Title
Heimdall 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Heimdall是LinuxServer.io开源的一个应用程序面板和启动器。 Heimdall 0.17.14之前版本存在安全漏洞,该漏洞源于以区分大小写方式处理URL编码的斜杠,而百分号编码定义为不区分大小写,当allow_encoded_slashes设置为off时小写等效形式不被识别,可能导致请求路径在heimdall和上游组件之间解释差异,导致授权绕过。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
dadrusheimdall < 0.17.14 -

II. Public POCs for CVE-2026-42272

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-42272

登录查看更多情报信息。

Same Patch Batch · dadrus · 2026-05-08 · 3 CVEs total

CVE-2026-42273Heimdall: Case-sensitive host matching may lead to policy bypass
CVE-2026-42274Heimdall: Authorization bypass via path normalization mismatch

IV. Related Vulnerabilities

Same product: heimdall
Same vendor: dadrus
Same weakness: CWE-436

V. Comments for CVE-2026-42272

No comments yet

Leave a comment