ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to an authorizat

Description

ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL containing path traversal sequences (e.g. `/public/../admin/secrets`) that resolves to a protected path after normalization, but is matched against a permissive rule because the raw, un-normalized path is used during rule evaluation. Version 26.2.0 contains a patch.

Affected Products

Vendor	Product	Versions
ory	oathkeeper	26.1.x

References

Related News (1 articles)

Tier C

VulDB8h ago

CVE-2026-33494 | ory oathkeeper up to 26.1.x Path Normalization path traversal

→ No new info (linked only)

CVSS 3.110.0 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

CISA KEV❌ No

Actively exploited❌ No

CWECWE-23

Published3/26/2026

Last enriched2h agov2

Trending Score29

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Version History

Last enriched 2h ago

v2Tier C2h ago

Added vendor and product information, specified affected versions as 26.1.x, and noted that the patch is available in version 26.2.0.

vendorproductaffectedVersionspatchAvailable

via VulDB

v13h ago

Initial creation