CVE-2026-33494
CVE-2026-33494 is a critical-severity vulnerability in Ory Oathkeeper with a CVSS 3.x base score of 10.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-23.
Key facts
- Severity: Critical (CVSS 3.x base score 10.0)
- EPSS exploit prediction: 1% (40th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-16285
- Weakness: CWE-23
- Affected product: Ory Oathkeeper
- Published:
- Last modified:
Description
ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL containing path traversal sequences (e.g. `/public/../admin/secrets`) that resolves to a protected path after normalization, but is matched against a permissive rule because the raw, un-normalized path is used during rule evaluation. Version 26.2.0 contains a patch.
Frequently asked questions
- What is CVE-2026-33494?
- ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL containing path traversal sequences (e.g. `/public/../admin/secrets`) that resolves to a protected path after normalization, but is matched against a permissive rule because the raw, un-normalized path is used during rule evaluation. Version 26.2.0 contains a patch.
- How severe is CVE-2026-33494?
- CVE-2026-33494 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability none.
- Is CVE-2026-33494 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (40th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-33494?
- CVE-2026-33494 affects Ory Oathkeeper. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-33494?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- Does CVE-2026-33494 have an EU (EUVD) identifier?
- Yes. CVE-2026-33494 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-16285.
- When was CVE-2026-33494 published?
- CVE-2026-33494 was published on 2026-03-26 and last updated on 2026-06-17.
References
- https://github.com/ory/oathkeeper/commit/8e0002140491c592db41fa141dc6ad68f417e2b2
- https://github.com/ory/oathkeeper/security/advisories/GHSA-p224-6x5r-fjpm
Affected products (1)
- cpe:2.3:a:ory:oathkeeper:*:*:*:*:*:*:*:*
More vulnerabilities in Ory Oathkeeper
- CVE-2026-33496 — High (CVSS 8.1): ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based…
- CVE-2021-32701 — High (CVSS 7.5): ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based…
- CVE-2026-33495 — Medium (CVSS 6.5): ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based…
All CVEs affecting Ory Oathkeeper →
Other CWE-23 vulnerabilities
- CVE-2026-52813 — Critical (CVSS 10.0): Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences…
- CVE-2026-8326 — Critical (CVSS 10.0): Path traversal vulnerability in Remote Spark (https://www.Remotespark.Com/) SparkView allows reading and writing…
- CVE-2023-3941 — Critical (CVSS 10.0): Relative Path Traversal vulnerability in ZkTeco-based OEM devices allows an attacker to write any file on the system…
- CVE-2024-24578 — Critical (CVSS 10.0): RaspberryMatic is an open-source operating system for HomeMatic internet-of-things devices. RaspberryMatic / OCCU prior…
- CVE-2012-6069 — Critical (CVSS 10.0): The CoDeSys Runtime Toolkit’s file transfer functionality does not perform input validation, which allows an…
- CVE-2025-62878 — Critical (CVSS 9.9): A malicious user can manipulate the parameters.pathPattern to create PersistentVolumes in arbitrary locations on the…