Medium severity6.5NVD Advisory· Published Mar 26, 2026· Updated Apr 2, 2026

CVE-2026-33495

Description

ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Ory Oathkeeper is often deployed behind other components like CDNs, WAFs, or reverse proxies. Depending on the setup, another component might forward the request to the Oathkeeper proxy with a different protocol (http vs. https) than the original request. In order to properly match the request against the configured rules, Oathkeeper considers the X-Forwarded-Proto header when evaluating rules. The configuration option serve.proxy.trust_forwarded_headers (defaults to false) governs whether this and other X-Forwarded-* headers should be trusted. Prior to version 26.2.0, Oathkeeper did not properly respect this configuration, and would always consider the X-Forwarded-Proto header. In order for an attacker to abuse this, an installation of Ory Oathkeeper needs to have distinct rules for HTTP and HTTPS requests. Also, the attacker needs to be able to trigger one but not the other rule. In this scenario, the attacker can send the same request but with the X-Forwarded-Proto header in order to trigger the other rule. We do not expect many configurations to meet these preconditions. Version 26.2.0 contains a patch. Ory Oathkeeper will correctly respect the serve.proxy.trust_forwarded_headers configuration going forward, thereby eliminating the attack scenario. We recommend upgrading to a fixed version even if the preconditions are not met. As an additional mitigation, it is generally recommended to drop any unexpected headers as early as possible when a request is handled, e.g. in the WAF.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/ory/oathkeeperGo	< 0.40.10-0.20260320084810-e9acca14a04d	0.40.10-0.20260320084810-e9acca14a04d

Affected products

Ory/Oathkeeper
cpe:2.3:a:ory:oathkeeper:*:*:*:*:*:*:*:*
Range: <26.2.0

Patches

e9acca14a04d

fix: only use `X-Forwarded-Proto` header when trusted

https://github.com/ory/oathkeeperPatrikMar 12, 2026via ghsa

commit

4 files changed · +102 −74

proxy/proxy.go+13 −4 modified

@@ -124,7 +124,7 @@ func (d *Proxy) Rewrite(r *httputil.ProxyRequest) {
 		}
 	}
 
-	EnrichRequestedURL(r)
+	EnrichRequestedURL(r, d.c.ProxyTrustForwardedHeaders())
 	rl, err := d.r.RuleMatcher().Match(r.Out.Context(), r.Out.Method, r.Out.URL, rule.ProtocolHTTP)
 	if err != nil {
 		*r.Out = *r.Out.WithContext(context.WithValue(r.Out.Context(), director, err))
@@ -167,11 +167,20 @@ func CopyHeaders(headers http.Header, r *http.Request) {
 
 // EnrichRequestedURL sets Scheme and Host values in a URL passed down by a http server. Per default, the URL
 // does not contain host nor scheme values.
-func EnrichRequestedURL(r *httputil.ProxyRequest) {
-	r.Out.URL.Scheme = "http"
+func EnrichRequestedURL(r *httputil.ProxyRequest, trustForwardedHeaders bool) {
 	r.Out.URL.Host = r.In.Host
-	if r.In.TLS != nil || strings.EqualFold(r.In.Header.Get("X-Forwarded-Proto"), "https") {
+	switch {
+	case trustForwardedHeaders && strings.EqualFold(r.In.Header.Get("X-Forwarded-Proto"), "https"):
 		r.Out.URL.Scheme = "https"
+	case trustForwardedHeaders && strings.EqualFold(r.In.Header.Get("X-Forwarded-Proto"), "http"):
+		r.Out.URL.Scheme = "http"
+	case r.In.TLS != nil:
+		// fallback to TLS check only if the header is not set or the proxy is not trusted
+		// otherwise the header should be trusted as it is coming from a trusted proxy
+		r.Out.URL.Scheme = "https"
+
+	default:
+		r.Out.URL.Scheme = "http"
 	}
 }

proxy/proxy_test.go+87 −69 modified

@@ -19,6 +19,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
+	"github.com/ory/x/configx"
+
 	"github.com/ory/oathkeeper/driver/configuration"
 	"github.com/ory/oathkeeper/internal"
 	"github.com/ory/oathkeeper/proxy"
@@ -28,22 +30,21 @@ import (
 
 func TestProxy(t *testing.T) {
 	backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		// assert.NotEmpty(t, helper.BearerTokenFromRequest(r))
-		fmt.Fprint(w, "authorization="+r.Header.Get("Authorization")+"\n") //nolint:errcheck // best-effort debug output
-		fmt.Fprint(w, "host="+r.Host+"\n")                                 //nolint:errcheck // best-effort debug output
-		fmt.Fprint(w, "url="+r.URL.String()+"\n")                          //nolint:errcheck // best-effort debug output
+		_, _ = fmt.Fprintf(w, "authorization=%s\n", r.Header.Get("Authorization"))
+		_, _ = fmt.Fprintf(w, "host=%s\n", r.Host)
+		_, _ = fmt.Fprintf(w, "url=%s\n", r.URL)
 		for k, v := range r.Header {
-			fmt.Fprint(w, "header "+k+"="+strings.Join(v, ",")+"\n") //nolint:errcheck // best-effort debug output
+			_, _ = fmt.Fprintf(w, "header %s=%s\n", k, strings.Join(v, ","))
 		}
 	}))
-	defer backend.Close()
+	t.Cleanup(backend.Close)
 
 	conf := internal.NewConfigurationWithDefaults()
 	reg := internal.NewRegistry(conf).WithBrokenPipelineMutator()
 
 	d := reg.Proxy()
 	ts := httptest.NewServer(&httputil.ReverseProxy{Rewrite: d.Rewrite, Transport: d})
-	defer ts.Close()
+	t.Cleanup(ts.Close)
 
 	conf.SetForTest(t, configuration.AuthenticatorNoopIsEnabled, true)
 	conf.SetForTest(t, configuration.AuthenticatorUnauthorizedIsEnabled, true)
@@ -512,34 +513,38 @@ func TestConfigureBackendURL(t *testing.T) {
 
 func TestEnrichRequestedURL(t *testing.T) {
 	for k, tc := range []struct {
-		req    *httputil.ProxyRequest
-		expect url.URL
+		req                 *http.Request
+		trustForwardHeaders bool
+		expect              url.URL
 	}{
 		{
-			req: &httputil.ProxyRequest{
-				In:  &http.Request{Host: "test", TLS: &tls.ConnectionState{}, URL: new(url.URL)},
-				Out: &http.Request{Host: "test", TLS: &tls.ConnectionState{}, URL: new(url.URL)},
-			},
+			req:    &http.Request{Host: "test", TLS: new(tls.ConnectionState), URL: new(url.URL)},
 			expect: url.URL{Scheme: "https", Host: "test"},
 		},
 		{
-			req: &httputil.ProxyRequest{
-				In:  &http.Request{Host: "test", URL: new(url.URL)},
-				Out: &http.Request{Host: "test", URL: new(url.URL)},
-			},
+			req:    &http.Request{Host: "test", URL: new(url.URL)},
 			expect: url.URL{Scheme: "http", Host: "test"},
 		},
 		{
-			req: &httputil.ProxyRequest{
-				In:  &http.Request{Host: "test", Header: http.Header{"X-Forwarded-Proto": {"https"}}, URL: new(url.URL)},
-				Out: &http.Request{Host: "test", URL: new(url.URL)},
-			},
-			expect: url.URL{Scheme: "https", Host: "test"},
+			req:                 &http.Request{Host: "test", Header: http.Header{"X-Forwarded-Proto": {"https"}}, URL: new(url.URL)},
+			trustForwardHeaders: true,
+			expect:              url.URL{Scheme: "https", Host: "test"},
+		},
+		{
+			req:                 &http.Request{Host: "test", Header: http.Header{"X-Forwarded-Proto": {"https"}}, URL: new(url.URL)},
+			trustForwardHeaders: false,
+			expect:              url.URL{Scheme: "http", Host: "test"},
+		},
+		{
+			req:                 &http.Request{Host: "test", Header: http.Header{"X-Forwarded-Proto": {"http"}}, TLS: new(tls.ConnectionState), URL: new(url.URL)},
+			trustForwardHeaders: true,
+			expect:              url.URL{Scheme: "http", Host: "test"},
 		},
 	} {
 		t.Run(fmt.Sprintf("case=%d", k), func(t *testing.T) {
-			proxy.EnrichRequestedURL(tc.req)
-			assert.EqualValues(t, tc.expect, *tc.req.Out.URL)
+			req := &httputil.ProxyRequest{In: tc.req, Out: &http.Request{URL: new(url.URL)}}
+			proxy.EnrichRequestedURL(req, tc.trustForwardHeaders)
+			assert.EqualValues(t, tc.expect, *req.Out.URL)
 		})
 	}
 }
@@ -578,9 +583,7 @@ func TestRateLimitHeaderPropagation(t *testing.T) {
 	}))
 	defer rateLimitUpstream.Close()
 
-	backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
-		fmt.Fprint(w, "ok") //nolint:errcheck // test
-	}))
+	backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { _, _ = fmt.Fprint(w, "ok") }))
 	defer backend.Close()
 
 	conf := internal.NewConfigurationWithDefaults()
@@ -623,45 +626,60 @@ func TestRateLimitHeaderPropagation(t *testing.T) {
 	assert.Equal(t, "1709042400", res.Header.Get("X-Ratelimit-Reset"))
 }
 
-//
-// func BenchmarkDirector(b *testing.B) {
-//	backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-//		fmt.Fprint(w, "authorization="+r.Header.Get("Authorization"))
-//		fmt.Fprint(w, "host="+r.Header.Get("Host"))
-//		fmt.Fprint(w, "url="+r.URL.String())
-//		fmt.Fprint(w, "path="+r.URL.Path)
-//	}))
-//	defer backend.Close()
-//
-//	logger := logrus.New()
-//	logger.Level = logrus.WarnLevel
-//	u, _ := url.Parse(backend.URL)
-//	d := NewProxy(nil, logger, &rsakey.LocalManager{KeyStrength: 512})
-//
-//	p := httptest.NewServer(&httputil.ReverseProxy{Director: d.Director, Transport: d})
-//	defer p.Close()
-//
-//	jt := &JurorPassThrough{L: logrus.New()}
-//	matcher := &rule.CachedMatcher{Rules: map[string]rule.Rule{
-//		"A": {MatchesMethods: []string{"GET"}, MatchesURLCompiled: panicCompileRegex(p.URL + "/users"), Mode: jt.GetID(), Upstream: rule.Upstream{URLParsed: u}},
-//		"B": {MatchesMethods: []string{"GET"}, MatchesURLCompiled: panicCompileRegex(p.URL + "/users/<[0-9]+>"), Mode: jt.GetID(), Upstream: rule.Upstream{URLParsed: u}},
-//		"C": {MatchesMethods: []string{"GET"}, MatchesURLCompiled: panicCompileRegex(p.URL + "/<[0-9]+>"), Mode: jt.GetID(), Upstream: rule.Upstream{URLParsed: u}},
-//		"D": {MatchesMethods: []string{"GET"}, MatchesURLCompiled: panicCompileRegex(p.URL + "/other/<.+>"), Mode: jt.GetID(), Upstream: rule.Upstream{URLParsed: u}},
-//	}}
-//	d.Judge = NewRequestHandler(logger, matcher, "", []Juror{jt})
-//
-//	req, _ := http.NewRequest("GET", p.URL+"/users", nil)
-//
-//	b.Run("case=fetch_user_endpoint", func(b *testing.B) {
-//		for n := 0; n < b.N; n++ {
-//			res, err := http.DefaultClient.Do(req)
-//			if err != nil {
-//				b.FailNow()
-//			}
-//
-//			if res.StatusCode != http.StatusOK {
-//				b.FailNow()
-//			}
-//		}
-//	})
-// }
+func TestXForwardedProtoMustNotAffectMatchWhenUntrusted(t *testing.T) {
+	backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { w.WriteHeader(http.StatusOK) }))
+	t.Cleanup(backend.Close)
+
+	conf := internal.NewConfigurationWithDefaults(configx.WithValues(map[string]any{
+		configuration.ProxyTrustForwardedHeaders:      false,
+		configuration.AuthenticatorAnonymousIsEnabled: true,
+		configuration.AuthorizerAllowIsEnabled:        true,
+		configuration.AuthorizerDenyIsEnabled:         true,
+		configuration.MutatorNoopIsEnabled:            true,
+		configuration.ErrorsJSONIsEnabled:             true,
+	}))
+	reg := internal.NewRegistry(conf)
+
+	d := reg.Proxy()
+	proxyServer := httptest.NewServer(&httputil.ReverseProxy{Rewrite: d.Rewrite, Transport: d})
+	t.Cleanup(proxyServer.Close)
+
+	ruleURL := proxyServer.URL + "/https-only"
+	rls := []rule.Rule{{
+		ID:             "https-allow",
+		Match:          &rule.Match{Methods: []string{"GET"}, URL: strings.Replace(ruleURL, "http://", "https://", 1)},
+		Authenticators: []rule.Handler{{Handler: "anonymous"}},
+		Authorizer:     rule.Handler{Handler: "allow"},
+		Mutators:       []rule.Handler{{Handler: "noop"}},
+		Upstream:       rule.Upstream{URL: backend.URL},
+		Errors:         []rule.ErrorHandler{{Handler: "json"}},
+	}, {
+		ID:             "http-deny",
+		Match:          &rule.Match{Methods: []string{"GET"}, URL: ruleURL},
+		Authenticators: []rule.Handler{{Handler: "anonymous"}},
+		Authorizer:     rule.Handler{Handler: "deny"},
+		Mutators:       []rule.Handler{{Handler: "noop"}},
+		Upstream:       rule.Upstream{URL: backend.URL},
+		Errors:         []rule.ErrorHandler{{Handler: "json"}},
+	}}
+
+	repo := reg.RuleRepository().(*rule.RepositoryMemory)
+	repo.WithRules(rls)
+	require.NoError(t, repo.SetMatchingStrategy(t.Context(), configuration.Regexp))
+
+	// Baseline: plain HTTP request does not match HTTPS-only rule.
+	res1, err := http.Get(ruleURL) // #nosec G107 -- this is a test supposed to make an HTTP request
+	require.NoError(t, err)
+	_ = res1.Body.Close()
+	require.Equal(t, http.StatusForbidden, res1.StatusCode)
+
+	// try to spoof scheme via untrusted X-Forwarded-Proto header; should still be denied
+	req2, err := http.NewRequest(http.MethodGet, ruleURL, nil) // #nosec G107 -- this is a test supposed to make an HTTP request
+	require.NoError(t, err)
+	req2.Header.Set("X-Forwarded-Proto", "https")
+	res2, err := http.DefaultClient.Do(req2)
+	require.NoError(t, err)
+	_ = res2.Body.Close()
+
+	require.Equal(t, http.StatusForbidden, res2.StatusCode, "X-Forwarded-Proto unexpectedly affected URL scheme matching")
+}

test/forwarded-header/config.yaml+1 −0 modified

@@ -3,6 +3,7 @@ serve:
     port: 6061
   proxy:
     port: 6060
+    trust_forwarded_headers: true
 
 access_rules:
   repositories:

test/forwarded-header/run.sh+1 −1 modified

@@ -36,7 +36,7 @@ make_request() {
   expected_status_code=$2
   shift 2
 
-  [[ $(curl --retry 7 --retry-connrefused --silent --output /dev/null -f ${url} -w '%{http_code}' "$@") -eq $expected_status_code ]]
+  [[ $(curl --retry 7 --retry-connrefused --silent --output /dev/null -f "${url}" -w '%{http_code}' "$@") -eq $expected_status_code ]]
 }
 
 SUCCESS_TEST=()

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/ory/oathkeeper/commit/e9acca14a04d246250557550065e4b4576525bd5nvdPatchWEB
github.com/advisories/GHSA-vhr5-ggp3-qq85ghsaADVISORY
github.com/ory/oathkeeper/security/advisories/GHSA-vhr5-ggp3-qq85nvdMitigationVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-33495ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000