CVE-2026-33494
Authorization Bypass via HTTP Path Traversal in ORY Oathkeeper
Publication date: 2026-03-26
Last updated on: 2026-04-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ory | oathkeeper | to 26.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-23 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33494 is a critical authorization bypass vulnerability in ORY Oathkeeper, an Identity & Access Proxy. The issue arises because Oathkeeper matches authorization rules against the raw, un-normalized HTTP request path. An attacker can craft URLs containing path traversal sequences (e.g., `/public/../admin/secrets`) that, after normalization, resolve to protected resources but are incorrectly matched against permissive rules due to the lack of path normalization during rule evaluation.
For example, a permissive rule might allow unauthenticated access to `/public/<.*>`, while `/admin/<.*>` requires authentication. Without normalization, a request to `/public/../admin/secrets` matches the `/public/<.*>` rule, bypassing authentication. However, the upstream server normalizes the path and serves the protected `/admin/secrets` resource, resulting in unauthorized access.
The vulnerability is classified as CWE-23 (Relative Path Traversal) and has a CVSS v3 base score of 10.0 (Critical). It affects all versions prior to v26.2.0, which contains a patch that normalizes request paths before rule matching.
How can this vulnerability impact me? :
This vulnerability allows an attacker to bypass authorization controls and gain unauthorized access to protected resources by exploiting path traversal sequences in URLs.
- Unauthorized access to sensitive or protected endpoints that should require authentication.
- Potential exposure of confidential information or administrative functions.
- Compromise of data confidentiality and integrity due to unauthorized access.
Because the vulnerability requires no privileges and no user interaction, it can be exploited remotely over the network, making it highly severe.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests for suspicious path traversal sequences in URLs, such as `/public/../admin/secrets`, which attempt to bypass authorization rules by exploiting un-normalized paths.
To detect exploitation attempts on your system or network, you can look for HTTP requests containing path traversal patterns like `../` in URLs that should be protected.
Suggested commands include using network traffic inspection tools or web server logs to search for such patterns. For example, using grep on access logs:
- grep -E '\.\./' /var/log/nginx/access.log
- tcpdump or Wireshark filters to capture HTTP requests containing `../` sequences.
Additionally, reviewing Ory Oathkeeper logs for requests that match permissive rules but contain path traversal sequences can help identify potential exploitation.
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation step is to upgrade Ory Oathkeeper to version 26.2.0 or later, where the vulnerability is patched by normalizing HTTP request paths before rule matching.
In addition to upgrading, implement defense-in-depth by ensuring that upstream components also normalize HTTP paths to prevent similar bypasses:
- For Nginx: Use the normalized `$uri` variable instead of `$request_uri` in matching rules, as Nginx normalizes paths by default with `proxy_pass`.
- For Envoy: Enable the `normalize_path` option (available since Envoy 1.14) to normalize path components before matching and forwarding.
- For Cloudflare: Ensure the "Normalize incoming URLs" setting is enabled in the dashboard under Rules β Normalization.
These steps help ensure that path traversal sequences are properly handled and do not bypass access control rules.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in ORY Oathkeeper allows unauthorized access to protected resources by bypassing authorization rules through HTTP path traversal. This results in a critical confidentiality and integrity impact, as attackers can access sensitive data without proper authentication.
Such unauthorized access to sensitive information can lead to non-compliance with common data protection standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data.
Therefore, if exploited, this vulnerability could cause violations of these regulations due to exposure of protected data and failure to enforce proper authorization.