CVE-2026-32811: Heimdall: Path received via Envoy gRPC corrupted when containing query string
(updated )
When using heimdall in envoy gRPC decision API mode, wrong encoding of the query URL string allows rules with non-wildcard path expressions to be bypassed.
The HTTP based decision API is NOT affected, and proxy mode is NOT affected either.
Note: The issue can only lead to unintended access if heimdall is configured with an “allow all” default rule. Since v0.16.0, heimdall enforces secure defaults and refuses to start with such a configuration unless this enforcement is explicitly disabled, e.g. via --insecure-skip-secure-default-rule-enforcement or the broader --insecure flag.
References
- github.com/advisories/GHSA-r8x2-fhmf-6mxp
- github.com/dadrus/heimdall
- github.com/dadrus/heimdall/commit/50321b3007db1ccafdc6b1cfd6bdc3689c19a502
- github.com/dadrus/heimdall/pull/3106
- github.com/dadrus/heimdall/security/advisories/GHSA-r8x2-fhmf-6mxp
- github.com/envoyproxy/envoy/blob/105b4acd422d67fcff908ec38d91c7676d079939/api/envoy/service/auth/v3/attribute_context.proto
- nvd.nist.gov/vuln/detail/CVE-2026-32811
Code Behaviors & Features
Detect and mitigate CVE-2026-32811 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →