CVE-2026-32811
Published: 20 March 2026
Summary
CVE-2026-32811 is a high-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Dadrus Heimdall. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely remediation and patching of the improper URL encoding flaw in vulnerable Heimdall versions through 0.17.10.
Prevents exploitation by enforcing secure configuration settings that prohibit the 'allow all' default rule required for unintended access, as supported by Heimdall's secure defaults since v0.16.0.
Addresses the improper encoding of URL path and query parameters received from Envoy by requiring validation and sanitization of inputs to Heimdall's decision service.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in public-facing Heimdall/Envoy proxy via crafted query params enables direct exploitation of the exposed access-control service for unauthorized resource access.
NVD Description
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. When using Heimdall in envoy gRPC decision API mode with versions 0.7.0-alpha through 0.17.10, wrong encoding of the query URL string allows rules with non-wildcard path expressions…
more
to be bypassed. Envoy splits the requested URL into parts, and sends the parts individually to Heimdall. Although query and path are present in the API, the query field is documented to be always empty and the URL query is included in the path field. The implementation uses go's url library to reconstruct the url which automatically encodes special characters in the path. As a consequence, a parameter like /mypath?foo=bar to Path is escaped into /mypath%3Ffoo=bar. Subsequently, a rule matching /mypath no longer matches and is bypassed. The issue can only lead to unintended access if Heimdall is configured with an "allow all" default rule. Since v0.16.0, Heimdall enforces secure defaults and refuses to start with such a configuration unless this enforcement is explicitly disabled, e.g. via --insecure-skip-secure-default-rule-enforcement or the broader --insecure flag. This issue has been fixed in version 0.17.11.
Deeper analysisAI
CVE-2026-32811 is an improper encoding vulnerability in Heimdall, a cloud native Identity Aware Proxy and Access Control Decision service, specifically when used in Envoy gRPC decision API mode. Affecting versions from 0.7.0-alpha through 0.17.10, the issue arises because Envoy splits the requested URL into parts and sends them individually to Heimdall, with the query parameters included in the path field despite the query field being documented as always empty. Heimdall's implementation uses Go's url library to reconstruct the URL, which automatically encodes special characters in the path, such as transforming /mypath?foo=bar into /mypath%3Ffoo=bar. This causes rules with non-wildcard path expressions, like one matching /mypath, to fail matching and be bypassed.
Remote unauthenticated attackers with network access can exploit this vulnerability by crafting requests with query parameters that trigger the encoding mismatch, evading path-based access control rules. Exploitation requires Heimdall to be configured with an "allow all" default rule, which grants unintended access to protected resources. The CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N) reflects high integrity impact from unauthorized access, with low confidentiality impact and no availability effects. Associated CWEs are CWE-116 (Improper Encoding or Escaping of Output) and CWE-863 (Incorrect Authorization).
The security advisory and related GitHub references detail mitigation through upgrading to Heimdall version 0.17.11, where the issue is fixed via commit 50321b3007db1ccafdc6b1cfd6bdc3689c19a502 and pull request #3106. Since version 0.16.0, Heimdall enforces secure defaults that prevent starting with an "allow all" configuration unless explicitly disabled using flags like --insecure-skip-secure-default-rule-enforcement or --insecure. Practitioners should review Envoy's attribute_context.proto documentation for context on URL handling in the gRPC API.
Details
- CWE(s)