CVE-2026-33495
Received Received - Intake
Improper Header Validation in Ory Oathkeeper Enables Access Bypass

Publication date: 2026-03-26

Last updated on: 2026-04-02

Assigner: GitHub, Inc.

Description
ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Ory Oathkeeper is often deployed behind other components like CDNs, WAFs, or reverse proxies. Depending on the setup, another component might forward the request to the Oathkeeper proxy with a different protocol (http vs. https) than the original request. In order to properly match the request against the configured rules, Oathkeeper considers the `X-Forwarded-Proto` header when evaluating rules. The configuration option `serve.proxy.trust_forwarded_headers` (defaults to false) governs whether this and other `X-Forwarded-*` headers should be trusted. Prior to version 26.2.0, Oathkeeper did not properly respect this configuration, and would always consider the `X-Forwarded-Proto` header. In order for an attacker to abuse this, an installation of Ory Oathkeeper needs to have distinct rules for HTTP and HTTPS requests. Also, the attacker needs to be able to trigger one but not the other rule. In this scenario, the attacker can send the same request but with the `X-Forwarded-Proto` header in order to trigger the other rule. We do not expect many configurations to meet these preconditions. Version 26.2.0 contains a patch. Ory Oathkeeper will correctly respect the `serve.proxy.trust_forwarded_headers` configuration going forward, thereby eliminating the attack scenario. We recommend upgrading to a fixed version even if the preconditions are not met. As an additional mitigation, it is generally recommended to drop any unexpected headers as early as possible when a request is handled, e.g. in the WAF.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-04-02
Generated
2026-05-07
AI Q&A
2026-03-26
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33495
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ory oathkeeper to 26.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-33495 is a moderate severity authentication bypass vulnerability in Ory Oathkeeper, an Identity & Access Proxy that authorizes HTTP requests based on Access Rules.

The vulnerability arises because Oathkeeper did not properly respect the configuration option `serve.proxy.trust_forwarded_headers`, which controls whether the proxy should trust the `X-Forwarded-Proto` HTTP header.

Prior to version 26.2.0, Oathkeeper always considered the `X-Forwarded-Proto` header regardless of this setting, allowing an attacker to spoof the protocol (HTTP vs HTTPS) of a request.

If an installation has distinct rules for HTTP and HTTPS requests and the attacker can trigger one rule but not the other, they can send a request with a manipulated `X-Forwarded-Proto` header to bypass authentication by causing Oathkeeper to apply the wrong rule.

The issue is fixed in version 26.2.0, where Oathkeeper correctly respects the `serve.proxy.trust_forwarded_headers` configuration, preventing this attack vector.


How can this vulnerability impact me? :

This vulnerability can allow an attacker to bypass authentication controls in Ory Oathkeeper if certain conditions are met.

Specifically, if your deployment has different access rules for HTTP and HTTPS requests and the attacker can trigger one rule but not the other, they could manipulate the `X-Forwarded-Proto` header to make Oathkeeper apply the incorrect rule.

This could lead to unauthorized access to protected resources, compromising confidentiality and integrity of data.

The vulnerability has a CVSS v3.1 base score of 6.5, indicating moderate severity with low complexity and no required privileges or user interaction.

Mitigations include upgrading to version 26.2.0 or later and dropping unexpected headers early in the request handling chain, such as in a WAF.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this vulnerability involves checking if your Ory Oathkeeper deployment is running a version prior to v26.2.0 and if it improperly trusts the X-Forwarded-Proto header regardless of the serve.proxy.trust_forwarded_headers configuration.

You can inspect network traffic or logs for requests containing the X-Forwarded-Proto header to see if it is being used to influence access rules unexpectedly.

Commands to help detect this might include:

  • Using curl to send requests with manipulated X-Forwarded-Proto headers and observing the response behavior to see if HTTP and HTTPS rules are bypassed.
  • Example curl command: curl -H "X-Forwarded-Proto: https" http://your-oathkeeper-endpoint -v
  • Checking the Oathkeeper configuration file or environment variables to verify the value of serve.proxy.trust_forwarded_headers.
  • Reviewing logs or enabling debug logging in Oathkeeper to detect if requests with X-Forwarded-Proto headers are treated differently than expected.

What immediate steps should I take to mitigate this vulnerability?

The primary mitigation is to upgrade Ory Oathkeeper to version 26.2.0 or later, where the vulnerability is fixed by properly respecting the serve.proxy.trust_forwarded_headers configuration.

Additionally, it is recommended to drop any unexpected or untrusted X-Forwarded-* headers as early as possible in the request handling chain, for example in your WAF or reverse proxy.

Ensure that the serve.proxy.trust_forwarded_headers configuration is set appropriately (default is false) to avoid trusting forwarded headers unless explicitly intended.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

CVE-2026-33495 is an authentication bypass vulnerability that could allow attackers to bypass security rules based on the HTTP scheme by spoofing the X-Forwarded-Proto header. This could potentially lead to unauthorized access to protected resources.

Such unauthorized access risks may impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data. If an attacker exploits this vulnerability to gain unauthorized access, it could result in data breaches or exposure of personal or protected health information, thereby violating these regulations.

Mitigations include upgrading to the fixed version (v26.2.0) where the proxy respects the trust configuration for forwarded headers, and dropping unexpected headers early in the request handling chain (e.g., in a WAF). These steps help maintain compliance by ensuring proper enforcement of access control policies.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart