CVE-2026-32811 Overview
CVE-2026-32811 is an authorization bypass vulnerability in Heimdall, a cloud native Identity Aware Proxy and Access Control Decision service. When Heimdall operates in Envoy gRPC decision API mode, incorrect encoding of the query URL string allows attackers to bypass access control rules configured with non-wildcard path expressions. This vulnerability affects versions 0.7.0-alpha through 0.17.10 and has been addressed in version 0.17.11.
Critical Impact
Attackers can bypass path-based access control rules to gain unauthorized access to protected resources when Heimdall is configured with an "allow all" default rule.
Affected Products
- Heimdall versions 0.7.0-alpha through 0.17.10
- Heimdall deployments using Envoy gRPC decision API mode
- Configurations with "allow all" default rules (especially versions prior to v0.16.0 which did not enforce secure defaults)
Discovery Timeline
- 2026-03-20 - CVE-2026-32811 published to NVD
- 2026-03-20 - Last updated in NVD database
Technical Details for CVE-2026-32811
Vulnerability Analysis
This vulnerability stems from improper URL encoding when Heimdall reconstructs URLs from parts provided by Envoy Proxy. When Envoy processes a request, it splits the URL into component parts and sends them individually to Heimdall through the gRPC decision API. According to the Envoy Proxy API Reference, while a query field exists in the API, it is documented to always be empty, with the URL query actually included in the path field.
The core issue lies in how Heimdall's implementation uses Go's url library to reconstruct the URL. This library automatically encodes special characters in the path, causing query string delimiters to be transformed in unintended ways. For example, when a request path like /mypath?foo=bar is processed, the ? character gets percent-encoded to %3F, resulting in /mypath%3Ffoo=bar.
This encoding transformation breaks rule matching. A rule configured to protect /mypath will no longer match the encoded path /mypath%3Ffoo=bar, allowing the request to bypass the intended access control. The attack is particularly effective against non-wildcard path expressions that expect exact matches.
Root Cause
The root cause is classified as CWE-116 (Improper Encoding or Escaping of Output). The vulnerability exists because Go's url library performs automatic character encoding when reconstructing URLs, but Heimdall did not account for this behavior when processing path data that already contained query string components. The mismatch between how Envoy packages URL data (query in path field) and how Heimdall processes it (treating the entire path field as just a path) creates the encoding discrepancy that enables rule bypass.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by crafting HTTP requests with query parameters targeting resources protected by non-wildcard path rules. When these requests pass through Envoy to Heimdall, the automatic URL encoding causes the path matching to fail, bypassing the access control decision.
The impact is most severe when Heimdall is configured with an "allow all" default rule—requests that don't match any specific rule are permitted access. Starting with version v0.16.0, Heimdall enforces secure defaults and refuses to start with such configurations unless explicitly overridden using flags like --insecure-skip-secure-default-rule-enforcement or --insecure.
The vulnerability allows unauthorized access to protected resources, potentially exposing sensitive data or functionality. The integrity impact is high as attackers can bypass intended access controls, though confidentiality impact is limited to the resources accessible through the bypassed rules.
Detection Methods for CVE-2026-32811
Indicators of Compromise
- Access logs showing successful requests to protected paths that include percent-encoded query delimiters (%3F) in the path segment
- Unusual patterns of requests with query strings to paths that should be access-controlled
- Audit log discrepancies where access was granted to resources that should have been denied based on configured rules
Detection Strategies
- Review Heimdall access logs for requests containing %3F (encoded ?) in path segments that match protected resources
- Implement log analysis rules to detect requests where the path contains encoded special characters that may indicate bypass attempts
- Monitor for configuration flags indicating insecure mode operation (--insecure, --insecure-skip-secure-default-rule-enforcement)
- Compare Envoy access logs with Heimdall decision logs to identify authorization decisions that don't align with expected rule behavior
Monitoring Recommendations
- Enable detailed logging in both Envoy and Heimdall to capture full request paths and authorization decisions
- Create alerts for requests that successfully access resources while containing percent-encoded characters in paths
- Implement periodic configuration audits to ensure secure defaults are enforced and no insecure override flags are in use
- Monitor application logs for unauthorized access patterns to resources that should be protected
How to Mitigate CVE-2026-32811
Immediate Actions Required
- Upgrade Heimdall to version 0.17.11 or later immediately
- Review current Heimdall configuration for "allow all" default rules and replace with explicit deny-by-default policies
- Audit access logs for potential exploitation attempts by searching for percent-encoded query delimiters in path segments
- If running versions prior to v0.16.0, ensure you are not using configurations that would be rejected by the secure defaults enforcement
Patch Information
The vulnerability has been fixed in Heimdall version 0.17.11. The fix addresses the URL encoding issue to ensure proper handling of query strings in the path field when using the Envoy gRPC decision API mode. Technical details of the fix can be found in the GitHub Commit and GitHub Pull Request. The full security advisory is available at GHSA-r8x2-fhmf-6mxp.
Workarounds
- Replace "allow all" default rules with explicit deny-by-default configurations to limit the impact of rule bypass
- Use wildcard path expressions (e.g., /mypath*) instead of exact path matches where feasible, as these may be less susceptible to encoding-based bypass
- Implement additional access control layers at the application or network level to provide defense in depth
- If using Heimdall version v0.16.0 or later, ensure secure defaults enforcement is enabled and avoid using --insecure or --insecure-skip-secure-default-rule-enforcement flags
# Configuration example - Verify Heimdall is running without insecure flags
# Check running processes for insecure flags (should return empty)
ps aux | grep heimdall | grep -E "(--insecure|--insecure-skip-secure-default-rule-enforcement)"
# Verify Heimdall version is patched
heimdall version
# Output should show version 0.17.11 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
