CVE-2026-33496 Overview
CVE-2026-33496 is an authentication bypass vulnerability in ORY Oathkeeper, an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to authentication bypass due to cache key confusion in the oauth2_introspection authenticator.
The vulnerability occurs because the authenticator cache does not distinguish tokens that were validated with different introspection URLs. An attacker can legitimately use a token to prime the cache and subsequently use the same token for rules that use a different introspection server, effectively bypassing authentication controls.
Critical Impact
Attackers with a valid token for one introspection server can bypass authentication for rules configured with different introspection servers, potentially gaining unauthorized access to protected resources.
Affected Products
- ORY Oathkeeper versions prior to 26.2.0
- Configurations using multiple oauth2_introspection authenticator servers
- Systems with caching enabled for oauth2_introspection authenticators
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-33496 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33496
Vulnerability Analysis
This authentication bypass vulnerability (CWE-305: Authentication Bypass by Primary Weakness) arises from improper cache key generation in the OAuth2 introspection authenticator component. When Ory Oathkeeper validates OAuth2 tokens, it can cache the introspection results to improve performance. However, the cache implementation fails to include the introspection server URL as part of the cache key.
The vulnerability requires a specific configuration: Ory Oathkeeper must be configured with multiple oauth2_introspection authenticator servers, each accepting different tokens, and caching must be enabled. An attacker who possesses a valid token for one of the configured introspection servers can exploit this flaw to authenticate against endpoints protected by different introspection servers.
Root Cause
The root cause is that the cache key generation algorithm does not scope the cached token validation results to the specific introspection URL that performed the validation. This allows tokens validated by one introspection server to be incorrectly reused for authentication against rules that should only accept tokens from a different introspection server.
Attack Vector
The attack requires network access and low-privilege authentication. An attacker must:
- Obtain a valid OAuth2 token for one of the configured introspection servers
- Make a request that triggers token validation and caches the result
- Reuse the same token against endpoints protected by a different introspection server
- The cached validation result is incorrectly returned, bypassing proper authentication
The security patch addresses this by including the introspection server URL in the cache key:
import (
"bytes"
- "crypto/md5" //nolint:gosec
+ //nolint:gosec
"encoding/json"
"fmt"
"net/http"
Source: GitHub Commit Update
Detection Methods for CVE-2026-33496
Indicators of Compromise
- Unusual authentication patterns where the same token is used across multiple protected endpoints with different introspection servers
- Log entries showing successful authentication against unexpected introspection endpoints
- Token validation cache hits for tokens that should not be valid for the requesting endpoint's introspection server
Detection Strategies
- Monitor authentication logs for tokens being accepted by multiple distinct introspection server configurations
- Implement logging to capture and correlate introspection server URLs with validated tokens
- Audit access patterns for anomalies where users access resources outside their authorized scope
Monitoring Recommendations
- Enable detailed authentication logging in Ory Oathkeeper to track token validation sources
- Implement alerting for authentication events where cached results are returned for cross-introspection-server requests
- Review access control configurations to identify deployments using multiple introspection servers with caching enabled
How to Mitigate CVE-2026-33496
Immediate Actions Required
- Update Ory Oathkeeper to version 26.2.0 or later immediately
- If immediate patching is not possible, disable caching for all oauth2_introspection authenticators
- Audit current configurations to identify systems using multiple introspection servers with caching enabled
- Review access logs for potential exploitation attempts
Patch Information
The vulnerability is fixed in Ory Oathkeeper version 26.2.0. The fix ensures that the introspection server URL is included in the cache key, preventing confusion of tokens across different introspection servers. The patch is available via the GitHub Commit Update. Additional details are available in the GitHub Security Advisory GHSA-4mq7-pvjg-xp2r.
Workarounds
- Disable caching for oauth2_introspection authenticators until patching is complete
- Reduce the number of configured introspection servers to a single server where possible
- Implement additional application-level authorization checks to validate token scope
- Consider network segmentation to limit attacker access to multiple introspection endpoints
# Configuration example - Disable caching for oauth2_introspection authenticator
# In your Oathkeeper configuration file (oathkeeper.yml):
authenticators:
oauth2_introspection:
enabled: true
config:
cache:
enabled: false # Disable caching as workaround
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
