CVE-2026-33496
Authentication Bypass in Ory Oathkeeper via Cache Key Confusion
Publication date: 2026-03-26
Last updated on: 2026-04-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ory | oathkeeper | to 26.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1289 | The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value. |
| CWE-305 | The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33496 is an authentication bypass vulnerability in Ory Oathkeeper versions prior to 26.2.0. The issue arises from cache key confusion in the oauth2_introspection authenticator component. Specifically, the cache key used to store validated tokens only considered the token string itself and did not include the introspection server URL. This means that tokens validated against one introspection server could be incorrectly reused for authentication checks against a different introspection server.
An attacker who has a valid token for one introspection server can prime the cache with that token and then use the same token to bypass authentication for rules that rely on a different introspection server. This happens because the cache does not distinguish tokens by the introspection URL, leading to token cache poisoning or misuse.
The vulnerability is fixed in version 26.2.0 by including the introspection server URL in the cache key, ensuring tokens are cached distinctly per introspection endpoint.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized authentication bypass, allowing an attacker to gain access to resources or services they should not be authorized to access.
Because the cache key does not differentiate tokens validated against different introspection servers, an attacker with a valid token for one server can reuse it to bypass authentication rules tied to another server.
- Attack Vector: Network (remote exploitation possible)
- Attack Complexity: Low (no special conditions required)
- Privileges Required: Low (attacker needs a valid token)
- User Interaction: None
The impact includes high confidentiality and integrity risks, meaning unauthorized data access and modification are possible, though availability is not affected.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying whether your Ory Oathkeeper deployment is running a version prior to 26.2.0 and if it is configured with multiple oauth2_introspection authenticators with caching enabled.
You can check the version of Ory Oathkeeper by running the following command on the system where it is installed:
- ory oathkeeper version
To verify if caching is enabled for oauth2_introspection authenticators, inspect the Ory Oathkeeper configuration files for the presence of multiple oauth2_introspection authenticators and check if caching is enabled.
Additionally, monitoring network traffic or logs for unusual reuse of tokens across different introspection URLs could indicate exploitation attempts, but specific commands for this are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update Ory Oathkeeper to version 26.2.0 or later, where the vulnerability is fixed by including the introspection server URL in the cache key.
If immediate updating is not possible, you should disable caching for the oauth2_introspection authenticators to prevent cache key confusion and authentication bypass.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Ory Oathkeeper allows an attacker to bypass authentication by exploiting cache key confusion in the oauth2_introspection authenticator. This can lead to unauthorized access to sensitive data and unauthorized modification of data.
Such unauthorized access and modification can result in violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.
Therefore, if exploited, this vulnerability could compromise compliance with these regulations by allowing attackers to access or alter protected data without proper authorization.
Mitigation by updating to version 26.2.0 or disabling caching for oauth2_introspection authenticators is necessary to maintain compliance and prevent potential data breaches.