cbcvebase.
CVE-2026-33494
published 2026-03-26

CVE-2026-33494: ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior…

PriorityP264critical10CVSS 3.1
AVNACLPRNUINSCCHIHAN
EPSS
0.52%
40.1th percentile
ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL containing path traversal sequences (e.g. `/public/../admin/secrets`) that resolves to a protected path after normalization, but is matched against a permissive rule because the raw, un-normalized path is used during rule evaluation. Version 26.2.0 contains a patch.

Affected

2 ranges
VendorProductVersion rangeFixed in
github.comory_oathkeeper>= 0 < 0.40.10-0.20260320084758-8e00021404910.40.10-0.20260320084758-8e0002140491
oryoathkeeper< 26.2.026.2.0

Detection & IOCsextracted from sources · hover to see the quote

path/public/../admin/secrets
  • Detect HTTP requests containing un-normalized path traversal sequences (e.g. `/../`) in the request URI targeting ORY Oathkeeper-proxied endpoints, particularly where the raw path traverses from a permissive prefix (e.g. /public/) into a protected path (e.g. /admin/)
  • Flag requests where URL path normalization would resolve to a different (more privileged) path than the raw request path — indicative of rule-matching bypass attempts against Oathkeeper versions prior to 26.2.0
  • ·The affected package is github.com/ory/oathkeeper; deployments using this IAP/Access Control Decision API for HTTP authorization are at risk if running a pre-patch version
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.