Heimdall (Identity Aware Proxy), Path Normalization Bypass, CVE-2026-32811 (High)

Listen to this Post

Heimdall performs rule matching on the raw (non-normalized) request path, while downstream components may normalize dot‑segments according to RFC 3986, Section 6.2.2.3. This discrepancy can result in heimdall authorizing a request for one path (e.g., /user/../admin, or URL‑encoded variants such as `/user/%2e%2e/admin` or /user/%2e%2e%2fadmin. The latter would require the `allow_encoded_slashes` option to be set to `on` or no_decode.) while the downstream ultimately processes a different, normalized path (/admin).
This vulnerability can be exploited by an adversary if rule matching is performed using free (named or unnamed) wildcards without further constraints, as shown in the example snippets below.

id: rule-1
match:
routes:
- path: /user/
execute: configured to require authentication and authorization
id: rule-2
match:
routes:
- path: /public/
execute: configured to allow anonymous access

If an adversary sends a request to /public/../user/whatever, rule-2 will be matched and executed. The downstream service may, however, normalize the request path and interpret it as /user/whatever.

dailycve form

Platform: Heimdall Identity Proxy
Version: 0.7.0‑alpha – 0.17.10
Vulnerability: Path normalization bypass
Severity: High (CVSS 8.2)
Date: 2026‑03‑20

Prediction: Patch expected in 0.17.11 (already released)

What Undercode Say:

Analytics of the issue show that the root cause is the mismatch between raw rule matching and downstream path normalization. The following bash commands and codes illustrate the vulnerability and its detection.

Test for path normalization bypass
curl -v "http://heimdall.local/public/../admin"
Check if rule-2 (public) is incorrectly matched
curl -v "http://heimdall.local/public/../admin?bypass"
Use URL-encoded dot‑segments to evade filtering
curl -v "http://heimdall.local/public/%2e%2e/admin"

Exploit:

An attacker can bypass access controls by crafting a request that matches a permissive rule (e.g., /public/) but, after normalization, targets a restricted path (e.g., /admin). This is achieved by injecting dot‑segments (..) or their URL‑encoded variants (%2e%2e) in the path. The exploit works even when `allow_encoded_slashes` is enabled, as Heimdall does not normalize the path before rule matching.

Protection from this CVE:

  • Upgrade to Heimdall version 0.17.11 or later.
  • Normalize HTTP paths or reject requests containing relative path expressions (e.g., .., %2e%2e) before they reach Heimdall.
  • Configure upstream proxies (e.g., Envoy with normalize_path) to sanitize paths.
  • Include the ID of the expected rule in the JWT and validate it in the consuming service.

Impact:

Bypass of access control policies can lead to:

  • Unauthorized access to or modification of restricted data.
  • Invocation of functionality that should require authentication or authorization.
  • In certain configurations, escalation of privileges depending on the exposed functionality.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top