CVE-2026-33494: ORY Oathkeeper Auth Bypass Vulnerability

CVE-2026-33494 Overview

ORY Oathkeeper, an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules, contains a critical authorization bypass vulnerability via HTTP path traversal. Versions prior to 26.2.0 are vulnerable to this flaw, which allows an attacker to craft malicious URLs containing path traversal sequences that circumvent access control rules.

The vulnerability exists because the raw, un-normalized path is used during rule evaluation, while the actual request resolves to a protected path after normalization. This mismatch enables attackers to access protected resources without proper authorization.

Critical Impact

Attackers can bypass authorization controls to access protected administrative endpoints and sensitive resources by exploiting path traversal sequences in HTTP requests.

Affected Products

• ORY Oathkeeper versions prior to 26.2.0

Discovery Timeline

• 2026-03-26 - CVE CVE-2026-33494 published to NVD
• 2026-03-26 - Last updated in NVD database

Technical Details for CVE-2026-33494

Vulnerability Analysis

This authorization bypass vulnerability (CWE-23: Relative Path Traversal) occurs due to a fundamental flaw in how ORY Oathkeeper processes and evaluates HTTP request paths against access control rules. The vulnerability is network-exploitable without requiring any authentication or user interaction, and it can impact resources beyond the vulnerable component's security scope.

When a request is received, Oathkeeper evaluates the raw request path against its configured access rules. However, the backend service normalizes the path before processing. This creates a security gap where an attacker can craft a URL that matches a permissive rule during evaluation but resolves to a protected endpoint after normalization.

Root Cause

The root cause of this vulnerability lies in the path matching logic within ORY Oathkeeper's rule evaluation engine. The system fails to normalize incoming request paths before comparing them against access control rules. This means that path traversal sequences such as /../ remain intact during rule matching, allowing requests to match against less restrictive rules intended for public endpoints.

When the request is subsequently forwarded to the backend service, standard path normalization occurs, and the request resolves to the attacker's intended protected target. This inconsistency between rule evaluation and actual request routing creates a complete authorization bypass.

Attack Vector

An attacker can exploit this vulnerability by crafting HTTP requests with path traversal sequences embedded in the URL. For example, a request to /public/../admin/secrets would be evaluated against rules for the /public/ path prefix, potentially matching a permissive rule that allows unauthenticated access. However, after path normalization, the request resolves to /admin/secrets, bypassing any authentication or authorization requirements configured for the /admin/ path.

The attack requires no authentication or special privileges and can be executed remotely over the network. Since ORY Oathkeeper is designed to protect backend services, successful exploitation grants attackers unauthorized access to protected APIs, administrative interfaces, and sensitive data.

Technical details and the specific fix can be found in the GitHub Security Advisory and the commit implementing the patch.

Detection Methods for CVE-2026-33494

Indicators of Compromise

• HTTP requests containing path traversal sequences (/../, /./, %2e%2e/, %2e/) in URL paths
• Unexpected access to administrative or protected endpoints from unauthenticated sources
• Anomalous access patterns showing requests to public paths that result in access to protected resources
• Audit logs showing successful access to protected resources without corresponding authentication events

Detection Strategies

• Implement web application firewall (WAF) rules to detect and block requests containing path traversal sequences
• Configure access logging on backend services to correlate Oathkeeper access decisions with actual resource access
• Deploy anomaly detection to identify requests with unusual path patterns or encoding
• Monitor for successful access to protected endpoints that lack corresponding authentication tokens

Monitoring Recommendations

• Enable detailed access logging in ORY Oathkeeper to capture raw request paths alongside routing decisions
• Implement real-time alerting for requests containing multiple consecutive dot-dot-slash sequences
• Review access logs for discrepancies between intended and actual accessed resources
• Monitor authentication and authorization metrics for unexpected patterns in protected resource access

How to Mitigate CVE-2026-33494

Immediate Actions Required

• Upgrade ORY Oathkeeper to version 26.2.0 or later immediately
• Review access logs for any evidence of exploitation attempts using path traversal sequences
• Audit all access rules to ensure protected endpoints cannot be reached via alternative paths
• Implement additional input validation at the reverse proxy or load balancer level

Patch Information

ORY has released version 26.2.0 which contains a fix for this vulnerability. The patch ensures that request paths are properly normalized before being evaluated against access control rules, eliminating the inconsistency between rule matching and actual request routing.

For detailed information about the patch, review the GitHub commit which implements path normalization in the rule evaluation logic.

Workarounds

• Deploy a reverse proxy or WAF in front of Oathkeeper configured to normalize paths before forwarding requests
• Implement explicit deny rules for any path containing traversal sequences (.., %2e%2e)
• Configure backend services to reject requests containing unnormalized path components
• Use network segmentation to limit which clients can reach Oathkeeper-protected services