CVE-2026-33494
published 2026-03-26CVE-2026-33494: ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior…
PriorityP264critical10CVSS 3.1
AVNACLPRNUINSCCHIHAN
EPSS
0.52%
40.1th percentile
ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL containing path traversal sequences (e.g. `/public/../admin/secrets`) that resolves to a protected path after normalization, but is matched against a permissive rule because the raw, un-normalized path is used during rule evaluation. Version 26.2.0 contains a patch.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | ory_oathkeeper | >= 0 < 0.40.10-0.20260320084758-8e0002140491 | 0.40.10-0.20260320084758-8e0002140491 |
| ory | oathkeeper | < 26.2.0 | 26.2.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP requests containing un-normalized path traversal sequences (e.g. `/../`) in the request URI targeting ORY Oathkeeper-proxied endpoints, particularly where the raw path traverses from a permissive prefix (e.g. /public/) into a protected path (e.g. /admin/) ↗
- →Flag requests where URL path normalization would resolve to a different (more privileged) path than the raw request path — indicative of rule-matching bypass attempts against Oathkeeper versions prior to 26.2.0 ↗
- ·The affected package is github.com/ory/oathkeeper; deployments using this IAP/Access Control Decision API for HTTP authorization are at risk if running a pre-patch version ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Ory Oathkeeper has a path traversal authorization bypass in github.com/ory/oathkeeper
osv·2026-03-23
CVE-2026-33494 Ory Oathkeeper has a path traversal authorization bypass in github.com/ory/oathkeeper
Ory Oathkeeper has a path traversal authorization bypass in github.com/ory/oathkeeper
Ory Oathkeeper has a path traversal authorization bypass in github.com/ory/oathkeeper
OSV
Ory Oathkeeper has a path traversal authorization bypass
osv·2026-03-20
CVE-2026-33494 [CRITICAL] Ory Oathkeeper has a path traversal authorization bypass
Ory Oathkeeper has a path traversal authorization bypass
## Description
Ory Oathkeeper is vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL containing path traversal sequences (e.g. `/public/../admin/secrets`) that resolves to a protected path after normalization, but is matched against a permissive rule because the raw, un-normalized path is used during rule evaluation.
## Preconditions
Ory Oathkeeper rules are typically configured with patterns like:
```
/public/ → allow unauthenticated access
/admin/ → require authentication
```
Without path normalization, a request to `/public/../admin/secrets` is matched against the raw path `/public/../admin/secrets`. This matches the `/public/` rule, bypassing the authentication required for `/admin/sec
GHSA
Ory Oathkeeper has a path traversal authorization bypass
ghsa·2026-03-20
CVE-2026-33494 [CRITICAL] CWE-23 Ory Oathkeeper has a path traversal authorization bypass
Ory Oathkeeper has a path traversal authorization bypass
## Description
Ory Oathkeeper is vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL containing path traversal sequences (e.g. `/public/../admin/secrets`) that resolves to a protected path after normalization, but is matched against a permissive rule because the raw, un-normalized path is used during rule evaluation.
## Preconditions
Ory Oathkeeper rules are typically configured with patterns like:
```
/public/ → allow unauthenticated access
/admin/ → require authentication
```
Without path normalization, a request to `/public/../admin/secrets` is matched against the raw path `/public/../admin/secrets`. This matches the `/public/` rule, bypassing the authentication required for `/admin/sec
No detection rules found.
No public exploits indexed.
2026-03-26
Published