Executive Summary

CVE-2026-33496 is an authentication bypass vulnerability in Ory Oathkeeper versions prior to 26.2.0. The issue arises from cache key confusion in the oauth2_introspection authenticator component. Specifically, the cache key used to store validated tokens only considered the token string itself and did not include the introspection server URL. This means that tokens validated against one introspection server could be incorrectly reused for authentication checks against a different introspection server.

An attacker who has a valid token for one introspection server can prime the cache with that token and then use the same token to bypass authentication for rules that rely on a different introspection server. This happens because the cache does not distinguish tokens by the introspection URL, leading to token cache poisoning or misuse.

The vulnerability is fixed in version 26.2.0 by including the introspection server URL in the cache key, ensuring tokens are cached distinctly per introspection endpoint.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized authentication bypass, allowing an attacker to gain access to resources or services they should not be authorized to access.

Because the cache key does not differentiate tokens validated against different introspection servers, an attacker with a valid token for one server can reuse it to bypass authentication rules tied to another server.

• Attack Vector: Network (remote exploitation possible)
• Attack Complexity: Low (no special conditions required)
• Privileges Required: Low (attacker needs a valid token)
• User Interaction: None

The impact includes high confidentiality and integrity risks, meaning unauthorized data access and modification are possible, though availability is not affected.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying whether your Ory Oathkeeper deployment is running a version prior to 26.2.0 and if it is configured with multiple oauth2_introspection authenticators with caching enabled.

You can check the version of Ory Oathkeeper by running the following command on the system where it is installed:

• ory oathkeeper version

To verify if caching is enabled for oauth2_introspection authenticators, inspect the Ory Oathkeeper configuration files for the presence of multiple oauth2_introspection authenticators and check if caching is enabled.

Additionally, monitoring network traffic or logs for unusual reuse of tokens across different introspection URLs could indicate exploitation attempts, but specific commands for this are not provided in the available resources.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to update Ory Oathkeeper to version 26.2.0 or later, where the vulnerability is fixed by including the introspection server URL in the cache key.

If immediate updating is not possible, you should disable caching for the oauth2_introspection authenticators to prevent cache key confusion and authentication bypass.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Ory Oathkeeper allows an attacker to bypass authentication by exploiting cache key confusion in the oauth2_introspection authenticator. This can lead to unauthorized access to sensitive data and unauthorized modification of data.

Such unauthorized access and modification can result in violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Therefore, if exploited, this vulnerability could compromise compliance with these regulations by allowing attackers to access or alter protected data without proper authorization.

Mitigation by updating to version 26.2.0 or disabling caching for oauth2_introspection authenticators is necessary to maintain compliance and prevent potential data breaches.

Useful 0 Not Useful 0