CVE-2026-32811 in heimdall
Summary
by MITRE • 03/20/2026
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. When using Heimdall in envoy gRPC decision API mode with versions 0.7.0-alpha through 0.17.10, wrong encoding of the query URL string allows rules with non-wildcard path expressions to be bypassed. Envoy splits the requested URL into parts, and sends the parts individually to Heimdall. Although query and path are present in the API, the query field is documented to be always empty and the URL query is included in the path field. The implementation uses go's url library to reconstruct the url which automatically encodes special characters in the path. As a consequence, a parameter like /mypath?foo=bar to Path is escaped into /mypath%3Ffoo=bar. Subsequently, a rule matching /mypath no longer matches and is bypassed. The issue can only lead to unintended access if Heimdall is configured with an "allow all" default rule. Since v0.16.0, Heimdall enforces secure defaults and refuses to start with such a configuration unless this enforcement is explicitly disabled, e.g. via --insecure-skip-secure-default-rule-enforcement or the broader --insecure flag. This issue has been fixed in version 0.17.11.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/30/2026
The vulnerability identified as CVE-2026-32811 affects Heimdall, a cloud native Identity Aware Proxy and Access Control Decision service that operates in envoy gRPC decision API mode. This flaw exists specifically within versions 0.7.0-alpha through 0.17.10 and represents a path matching bypass issue that exploits improper URL string handling during the gRPC decision process. The vulnerability stems from how Heimdall processes URL components when communicating with Envoy, creating a scenario where path-based access control rules can be circumvented through malformed URL encoding.
The technical implementation of this vulnerability involves the interaction between Envoy's URL parsing mechanism and Heimdall's gRPC decision API processing. When Envoy processes a request, it splits the URL into constituent parts and sends these components individually to Heimdall for access control decisions. While both query and path fields are present in the API specification, the query field is documented to remain empty, with the actual URL query parameters being included within the path field. This design decision creates the conditions for the vulnerability to manifest.
The core flaw occurs when Go's standard url library reconstructs the URL string, automatically encoding special characters in the path component. Specifically, when a request containing query parameters like /mypath?foo=bar reaches Heimdall, the system processes the path field and automatically escapes the question mark character into %3F, transforming the intended path into /mypath%3Ffoo=bar. This encoded path no longer matches against access control rules that are configured to match against the original path pattern /mypath, thereby allowing unauthorized access to bypass the intended security controls.
This vulnerability operates under specific conditions that limit its potential impact. The issue can only result in unintended access when Heimdall is configured with an "allow all" default rule, which represents a dangerous security configuration. The vulnerability does not affect systems that properly enforce secure default configurations, as these are automatically enforced starting from version 0.16.0. Organizations can bypass this security enforcement through explicit configuration flags such as --insecure-skip-secure-default-rule-enforcement or the broader --insecure flag, which provides a pathway for administrators to disable the protective mechanisms.
The security implications of this vulnerability align with CWE-20, which addresses improper input validation, and represent a specific case of path traversal or path matching bypass. This issue falls under the ATT&CK technique T1078.004, which covers valid accounts with elevated privileges, as the bypass allows unauthorized access that would otherwise be prevented by proper path-based access controls. The vulnerability demonstrates the importance of proper URL handling in security-critical systems, particularly when dealing with gRPC APIs that process URL components in potentially conflicting ways. The fix implemented in version 0.17.11 addresses this by ensuring proper handling of URL encoding during the gRPC decision process, maintaining the integrity of path-based access control rules while preserving the intended functionality of the service.
The remediation approach for this vulnerability requires organizations to upgrade to Heimdall version 0.17.11 or later, which contains the necessary fixes to properly handle URL encoding in the gRPC decision API mode. Additionally, security administrators should review their current configurations to ensure that secure default enforcement is properly enabled and that no explicit bypass flags are in use unless absolutely necessary. This vulnerability highlights the critical importance of proper URL handling in identity and access management systems, where even subtle encoding differences can lead to significant security implications. The issue also underscores the necessity of maintaining secure default configurations in cloud native services, as the enforcement of secure defaults in version 0.16.0 provides a crucial protective mechanism against such bypass scenarios. Organizations should conduct thorough testing after upgrading to ensure that legitimate access patterns continue to function correctly while unauthorized access attempts are properly blocked.