Critical severity10.0NVD Advisory· Published Mar 26, 2026· Updated Apr 7, 2026
CVE-2026-33494
CVE-2026-33494
Description
ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL containing path traversal sequences (e.g. /public/../admin/secrets) that resolves to a protected path after normalization, but is matched against a permissive rule because the raw, un-normalized path is used during rule evaluation. Version 26.2.0 contains a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/ory/oathkeeperGo | < 0.40.10-0.20260320084758-8e0002140491 | 0.40.10-0.20260320084758-8e0002140491 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/ory/oathkeeperpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 0.40.10-0.20260320084758-8e0002140491+ 1 more
- (no CPE)range: < 0.40.10-0.20260320084758-8e0002140491
- (no CPE)range: < 0.0.20260326T203309-150000.1.155.2
Patches
Vulnerability mechanics
References
4- github.com/ory/oathkeeper/commit/8e0002140491c592db41fa141dc6ad68f417e2b2nvdPatchWEB
- github.com/advisories/GHSA-p224-6x5r-fjpmghsaADVISORY
- github.com/ory/oathkeeper/security/advisories/GHSA-p224-6x5r-fjpmnvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-33494ghsaADVISORY
News mentions
0No linked articles in our index yet.