Go modules package
github.com/ory/oathkeeper
pkg:golang/github.com/ory/oathkeeper
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33496 | Hig | 8.1 | < 0.40.10-0.20260320084801-198a2bc82a99 | 0.40.10-0.20260320084801-198a2bc82a99 | Mar 26, 2026 | ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to authentication bypass due to cache key confusion. The `oauth2_introspection` authenticator c | |
| CVE-2026-33495 | Med | 6.5 | < 0.40.10-0.20260320084810-e9acca14a04d | 0.40.10-0.20260320084810-e9acca14a04d | Mar 26, 2026 | ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Ory Oathkeeper is often deployed behind other components like CDNs, WAFs, or reverse proxies. Depending on the setup, another component | |
| CVE-2026-33494 | Cri | 10.0 | < 0.40.10-0.20260320084758-8e0002140491 | 0.40.10-0.20260320084758-8e0002140491 | Mar 26, 2026 | ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL containing path | |
| CVE-2021-32701 | — | >= 0.38.0-beta.2, < 0.38.12-beta.1 | 0.38.12-beta.1 | Jun 22, 2021 | ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. When you make a request to an endpoint that requires the scope `foo` using an access token granted with that `foo` scope, introspection |
- affected < 0.40.10-0.20260320084801-198a2bc82a99fixed 0.40.10-0.20260320084801-198a2bc82a99
ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to authentication bypass due to cache key confusion. The `oauth2_introspection` authenticator c
- affected < 0.40.10-0.20260320084810-e9acca14a04dfixed 0.40.10-0.20260320084810-e9acca14a04d
ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Ory Oathkeeper is often deployed behind other components like CDNs, WAFs, or reverse proxies. Depending on the setup, another component
- affected < 0.40.10-0.20260320084758-8e0002140491fixed 0.40.10-0.20260320084758-8e0002140491
ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL containing path
- CVE-2021-32701Jun 22, 2021affected >= 0.38.0-beta.2, < 0.38.12-beta.1fixed 0.38.12-beta.1
ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. When you make a request to an endpoint that requires the scope `foo` using an access token granted with that `foo` scope, introspection