{"id":"GO-2026-5097","summary":"Heimdall has an authorization bypass via path normalization mismatch in github.com/dadrus/heimdall","details":"Heimdall has an authorization bypass via path normalization mismatch in github.com/dadrus/heimdall","aliases":["CVE-2026-42274","GHSA-3q34-rx83-r6mq"],"modified":"2026-06-25T18:45:20.857670953Z","published":"2026-06-25T18:26:48Z","database_specific":{"review_status":"UNREVIEWED","url":"https://pkg.go.dev/vuln/GO-2026-5097"},"references":[{"type":"ADVISORY","url":"https://github.com/dadrus/heimdall/security/advisories/GHSA-3q34-rx83-r6mq"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42274"},{"type":"FIX","url":"https://github.com/dadrus/heimdall/commit/b5dfa484b7a8c2ce6d8691c026f9da867719947a"},{"type":"FIX","url":"https://github.com/dadrus/heimdall/pull/3209"},{"type":"WEB","url":"https://github.com/dadrus/heimdall/releases/tag/v0.17.14"},{"type":"WEB","url":"https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path"}],"affected":[{"package":{"name":"github.com/dadrus/heimdall","ecosystem":"Go","purl":"pkg:golang/github.com/dadrus/heimdall"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.17.14"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-5097.json"}}],"schema_version":"1.7.5"}