Platform
go
Component
github.com/ory/oathkeeper
Fixed in
26.2.1
0.40.10-0.20260320084758-8e0002140491
Ory Oathkeeper, an authentication server, is vulnerable to an authorization bypass due to a path traversal flaw. This allows attackers to craft URLs containing path traversal sequences, bypassing intended access controls. The vulnerability affects versions prior to 0.40.10-0.20260320084758-8e0002140491 and has been published on 2026-03-20. A fix is available in version 0.40.10-0.20260320084758-8e0002140491.
The path traversal vulnerability in Ory Oathkeeper allows an attacker to bypass authorization checks and access protected resources. By manipulating the URL to include sequences like /public/../admin/secrets, an attacker can effectively navigate the file system beyond the intended boundaries. This can lead to unauthorized access to sensitive configuration files, credentials, or other data that should be protected by Oathkeeper's rules. The potential impact is significant, as a successful exploit could compromise the entire authentication infrastructure and expose user data. This vulnerability shares similarities with other path traversal exploits where improper input validation allows attackers to access files outside of the intended scope.
This vulnerability was publicly disclosed on 2026-03-20. Its severity is rated as CRITICAL (CVSS score 10). There is no indication of this vulnerability being added to the CISA KEV catalog or actively exploited in the wild at this time. Public proof-of-concept exploits are not currently available, but the ease of exploitation given the vulnerability type suggests that they may emerge.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33494 is to upgrade to version 0.40.10-0.20260320084758-8e0002140491 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Review Oathkeeper's rule configuration to ensure proper path normalization is enforced. While a direct WAF rule is difficult to implement due to the nature of path traversal, consider implementing stricter input validation on incoming requests to filter out suspicious characters and sequences. Monitor Oathkeeper logs for unusual access patterns or attempts to access restricted resources. After upgrading, confirm the fix by attempting to access protected resources using crafted URLs containing path traversal sequences; access should be denied.
Update Ory Oathkeeper to version 26.2.0 or higher. This version contains a fix for the path traversal vulnerability. The update will prevent attackers from bypassing authorization by manipulating paths.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33494 is a critical vulnerability in Ory Oathkeeper that allows attackers to bypass authorization checks by crafting malicious URLs containing path traversal sequences.
You are affected if you are using Ory Oathkeeper versions prior to 0.40.10-0.20260320084758-8e0002140491. Review your deployments to determine if you are vulnerable.
Upgrade to version 0.40.10-0.20260320084758-8e0002140491 or later. Implement stricter input validation as a temporary workaround if an upgrade is not immediately possible.
There is currently no evidence of active exploitation, but the vulnerability's severity and ease of exploitation suggest that it could be targeted in the future.
Refer to the official Ory Oathkeeper security advisories on their website or GitHub repository for the most up-to-date information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.