NextGuard
Back to blog
CVSS 10.0CVE-2026-33494CVE-2026-33495

Ory Oathkeeper: Path Traversal and Auth Bypass Vulnerabilities

Critical vulnerabilities in Ory Oathkeeper allow path traversal and authentication bypass. Update to version 0.40.10-0.20260320084758-8e0002140491 or later to mitigate these risks.

Published on

Ory Oathkeeper is susceptible to path traversal and authentication bypass vulnerabilities. These flaws could allow attackers to bypass intended access controls. Patches are available to address these issues; users are urged to update immediately.

A CVSS score of 10 indicates a critical vulnerability requiring immediate attention.

What is Github.com/ory/oathkeeper?

Github.com/ory/oathkeeper is a component for go, acting as an identity & access proxy to authorize HTTP requests based on a set of rules. It is often deployed as a reverse proxy or sidecar to enforce authentication and authorization policies. To learn more, search all github.com/ory/oathkeeper CVEs.

CVE-2026-33494: Path Traversal Authorization Bypass

CVSS10.0
Affected versionsThis vulnerability affects Ory Oathkeeper instances where rules are configured with patterns that differentiate between public and admin paths, and where path normalization is not performed before rule matching.

Critical vulnerability, exploit leads to complete system compromise.

EPSS score of 0.056 indicates a low probability of exploitation.

Ory Oathkeeper is vulnerable to a path traversal authorization bypass. An attacker can craft a URL with path traversal sequences to access protected resources by bypassing authentication rules.

How to fix CVE-2026-33494 in Github.com/ory/oathkeeper

Patch immediately
  1. 1.Update your Ory Oathkeeper dependency to the latest version.
Update Ory Oathkeeper
go get -u github.com/ory/oathkeeper@latest

Workaround: Normalize HTTP paths in layers in front of Oathkeeper using reverse proxies or CDNs like Nginx, Envoy, or Cloudflare.

NextGuard automatically flags CVE-2026-33494 if github.com/ory/oathkeeper appears in any of your monitored projects — no manual lookup required.

CVE-2026-33495: Authentication Bypass via Untrusted Header

CVSS6.5
Affected versionsThis affects Ory Oathkeeper deployments with distinct rules for HTTP and HTTPS requests, where attackers can influence the `X-Forwarded-Proto` header.

Medium severity, potential for authentication bypass.

EPSS score of 0.035 indicates a very low probability of exploitation.

Ory Oathkeeper incorrectly trusts the `X-Forwarded-Proto` header, leading to a potential authentication bypass. An attacker can manipulate this header to trigger unintended rules, bypassing authentication.

How to fix CVE-2026-33495 in Github.com/ory/oathkeeper

Patch within 24h
  1. 1.Update your Ory Oathkeeper dependency to the latest version.
Update Ory Oathkeeper
go get -u github.com/ory/oathkeeper@latest

Workaround: Drop any unexpected headers as early as possible, such as in the WAF.

NextGuard monitors this vulnerability and alerts you if github.com/ory/oathkeeper is detected in your dependencies.

Stay ahead of go vulnerabilities

Proactively detect and respond to security threats in your go projects. Use NextGuard to monitor your go dependencies.

Compare Plans

Frequently asked questions

These vulnerabilities pose a significant risk to Ory Oathkeeper deployments. Ensure you update to the latest version and implement recommended workarounds. See all go vulnerabilities.

Related topics

Path TraversalAuthentication BypassGo SecurityOry OathkeeperAccess Control