CVE-2026-33494
Received Received - Intake
Authorization Bypass via HTTP Path Traversal in ORY Oathkeeper

Publication date: 2026-03-26

Last updated on: 2026-04-07

Assigner: GitHub, Inc.

Description
ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL containing path traversal sequences (e.g. `/public/../admin/secrets`) that resolves to a protected path after normalization, but is matched against a permissive rule because the raw, un-normalized path is used during rule evaluation. Version 26.2.0 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33494
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ory oathkeeper to 26.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in ORY Oathkeeper allows unauthorized access to protected resources by bypassing authorization rules through HTTP path traversal. This results in a critical confidentiality and integrity impact, as attackers can access sensitive data without proper authentication.

Such unauthorized access to sensitive information can lead to non-compliance with common data protection standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data.

Therefore, if exploited, this vulnerability could cause violations of these regulations due to exposure of protected data and failure to enforce proper authorization.

Executive Summary

CVE-2026-33494 is a critical authorization bypass vulnerability in ORY Oathkeeper, an Identity & Access Proxy. The issue arises because Oathkeeper matches authorization rules against the raw, un-normalized HTTP request path. An attacker can craft URLs containing path traversal sequences (e.g., `/public/../admin/secrets`) that, after normalization, resolve to protected resources but are incorrectly matched against permissive rules due to the lack of path normalization during rule evaluation.

For example, a permissive rule might allow unauthenticated access to `/public/<.*>`, while `/admin/<.*>` requires authentication. Without normalization, a request to `/public/../admin/secrets` matches the `/public/<.*>` rule, bypassing authentication. However, the upstream server normalizes the path and serves the protected `/admin/secrets` resource, resulting in unauthorized access.

The vulnerability is classified as CWE-23 (Relative Path Traversal) and has a CVSS v3 base score of 10.0 (Critical). It affects all versions prior to v26.2.0, which contains a patch that normalizes request paths before rule matching.

Impact Analysis

This vulnerability allows an attacker to bypass authorization controls and gain unauthorized access to protected resources by exploiting path traversal sequences in URLs.

  • Unauthorized access to sensitive or protected endpoints that should require authentication.
  • Potential exposure of confidential information or administrative functions.
  • Compromise of data confidentiality and integrity due to unauthorized access.

Because the vulnerability requires no privileges and no user interaction, it can be exploited remotely over the network, making it highly severe.

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests for suspicious path traversal sequences in URLs, such as `/public/../admin/secrets`, which attempt to bypass authorization rules by exploiting un-normalized paths.

To detect exploitation attempts on your system or network, you can look for HTTP requests containing path traversal patterns like `../` in URLs that should be protected.

Suggested commands include using network traffic inspection tools or web server logs to search for such patterns. For example, using grep on access logs:

  • grep -E '\.\./' /var/log/nginx/access.log
  • tcpdump or Wireshark filters to capture HTTP requests containing `../` sequences.

Additionally, reviewing Ory Oathkeeper logs for requests that match permissive rules but contain path traversal sequences can help identify potential exploitation.

Mitigation Strategies

The primary immediate mitigation step is to upgrade Ory Oathkeeper to version 26.2.0 or later, where the vulnerability is patched by normalizing HTTP request paths before rule matching.

In addition to upgrading, implement defense-in-depth by ensuring that upstream components also normalize HTTP paths to prevent similar bypasses:

  • For Nginx: Use the normalized `$uri` variable instead of `$request_uri` in matching rules, as Nginx normalizes paths by default with `proxy_pass`.
  • For Envoy: Enable the `normalize_path` option (available since Envoy 1.14) to normalize path components before matching and forwarding.
  • For Cloudflare: Ensure the "Normalize incoming URLs" setting is enabled in the dashboard under Rules β†’ Normalization.

These steps help ensure that path traversal sequences are properly handled and do not bypass access control rules.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33494. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart