CVE-2026-42273

EUVD-2026-28509

08.05.2026, 04:16

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are case-insensitive. This discrepancy can result in heimdall failing to match a rule for a request host that differs only in letter casing, potentially causing the request to be classified differently than intended. This issue has been patched in version 0.17.14.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
GitHub_M	CNA	7.8 HIGH	NETWORK	LOW	NONE	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 12%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
dadrus	heimdall	𝑥 < 0.17.14	CNA

Common Weakness Enumeration

CWE-178 - Improper Handling of Case Sensitivity
The software does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.

References

https://github.com/dadrus/heimdall/commit/3d05e56a9e7ef0355f17482b4322054af4e85943

https://github.com/dadrus/heimdall/pull/3208

https://github.com/dadrus/heimdall/releases/tag/v0.17.14

https://github.com/dadrus/heimdall/security/advisories/GHSA-72h4-mxfc-jx37