CVE-2026-33494
CRITICALOry Oathkeeper <26.2.0 HTTP Path Traversal - Authorization Bypass
Title source: manualDescription
ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL containing path traversal sequences (e.g. `/public/../admin/secrets`) that resolves to a protected path after normalization, but is matched against a permissive rule because the raw, un-normalized path is used during rule evaluation. Version 26.2.0 contains a patch.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/ory/oathkeeper/security/advisories/GHSA-p224-6x5r-fjpm
X_Refsource_Misc x_refsource_misc
https://github.com/ory/oathkeeper/commit/8e0002140491c592db41fa141dc6ad68f417e2b2
Scores
CVSS v3
10.0
EPSS
0.0052
EPSS Percentile
39.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-23
Status
published
Products (2)
ory/oathkeeper
< 26.2.0 (2 CPE variants)
ory/oathkeeper
0 - 0.40.10-0.20260320084758-8e0002140491Go
Published
Mar 26, 2026
Tracked Since
Mar 26, 2026