CRITICAL🇵🇱 Wersja polska

CVE-2026-33494

CVSS 10.0v3.1pub. 2026-03-26upd. 2026-04-07

ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL containing path traversal sequences (e.g. `/public/../admin/secrets`) that resolves to a protected path after normalization, but is matched against a permissive rule because the raw, un-normalized path is used during rule evaluation. Version 26.2.0 contains a patch.

🤖 AI Analysis
How it works

The vulnerability results from a discrepancy between the access rule matching stage and the URL path normalization stage. An attacker constructs a URL containing path traversal sequences (e.g., `/public/../admin/secrets`), which before normalization matches a permissive rule because the rule evaluation is performed on the raw, non-normalized path. After normalization by the target server, the path resolves to a protected resource, which is allowed through without proper permission verification.

Impact

An attacker can bypass access control rules and gain unauthorized access to protected API resources or applications behind the proxy. Depending on the architecture of the protected system, this can lead to disclosure of sensitive data or violation of resource integrity.

Mitigation & patch

Ory Oathkeeper should be updated to version 26.2.0, which contains a patch eliminating the vulnerability. The patch is available in the project repository (commit 8e0002140491c592db41fa141dc6ad68f417e2b2).

Who is affected

Ory Oathkeeper in versions earlier than 26.2.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
  • Ory Oathkeeper

    APP
    Ory
    < 26.2.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path Traversal
CWE
References

Related vulnerabilities

CVE-2026-33496HIGH8.1ten sam produkt

ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP reques...

CVE-2021-32701HIGH7.5ten sam produkt

ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP reques...

CVE-2026-33495MEDIUM6.5ten sam produkt

ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP reques...

CVE-2026-33503HIGH7.2ten sam vendor

Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 26.2...

CVE-2026-33504HIGH7.2ten sam vendor

Ory Hydra is an OAuth 2.0 Server and OpenID Connect Provider. Prior to version 26.2.0, the listOAuth2Clients, ...