CVE-2026-33494: CWE-23: Relative Path Traversal in ory oathkeeper
ORY Oathkeeper versions prior to 26. 2. 0 are affected by a critical authorization bypass vulnerability due to relative path traversal (CWE-23). The issue arises because the software uses the raw, un-normalized HTTP request path for access rule evaluation, allowing crafted URLs with path traversal sequences to bypass intended access controls. This vulnerability has a CVSS score of 10. 0, indicating critical severity. Version 26. 2. 0 includes a patch that addresses this flaw.
AI Analysis
Technical Summary
CVE-2026-33494 is a critical vulnerability in ORY Oathkeeper, an Identity & Access Proxy and Access Control Decision API. The vulnerability is a relative path traversal that leads to authorization bypass. Specifically, the product uses the raw HTTP request path during access rule evaluation instead of the normalized path. Attackers can exploit this by crafting URLs with path traversal sequences (e.g., `/public/../admin/secrets`) that resolve to protected resources after normalization but are matched against permissive rules due to the un-normalized path check. This flaw affects all versions prior to 26.2.0, which contains the official patch.
Potential Impact
Successful exploitation allows an unauthenticated attacker to bypass authorization controls and access protected resources that should be restricted. The vulnerability impacts confidentiality and integrity, as unauthorized access to sensitive data or administrative functions is possible. The CVSS score of 10.0 reflects the vulnerability's ease of exploitation (network vector, no privileges or user interaction required) and its severe impact on confidentiality and integrity.
Mitigation Recommendations
An official fix is available in ORY Oathkeeper version 26.2.0. Users should upgrade to version 26.2.0 or later to remediate this vulnerability. No additional mitigations are specified in the advisory. Patch status is confirmed by the vendor advisory indicating the fix is included in version 26.2.0.
CVE-2026-33494: CWE-23: Relative Path Traversal in ory oathkeeper
Description
ORY Oathkeeper versions prior to 26. 2. 0 are affected by a critical authorization bypass vulnerability due to relative path traversal (CWE-23). The issue arises because the software uses the raw, un-normalized HTTP request path for access rule evaluation, allowing crafted URLs with path traversal sequences to bypass intended access controls. This vulnerability has a CVSS score of 10. 0, indicating critical severity. Version 26. 2. 0 includes a patch that addresses this flaw.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-33494 is a critical vulnerability in ORY Oathkeeper, an Identity & Access Proxy and Access Control Decision API. The vulnerability is a relative path traversal that leads to authorization bypass. Specifically, the product uses the raw HTTP request path during access rule evaluation instead of the normalized path. Attackers can exploit this by crafting URLs with path traversal sequences (e.g., `/public/../admin/secrets`) that resolve to protected resources after normalization but are matched against permissive rules due to the un-normalized path check. This flaw affects all versions prior to 26.2.0, which contains the official patch.
Potential Impact
Successful exploitation allows an unauthenticated attacker to bypass authorization controls and access protected resources that should be restricted. The vulnerability impacts confidentiality and integrity, as unauthorized access to sensitive data or administrative functions is possible. The CVSS score of 10.0 reflects the vulnerability's ease of exploitation (network vector, no privileges or user interaction required) and its severe impact on confidentiality and integrity.
Mitigation Recommendations
An official fix is available in ORY Oathkeeper version 26.2.0. Users should upgrade to version 26.2.0 or later to remediate this vulnerability. No additional mitigations are specified in the advisory. Patch status is confirmed by the vendor advisory indicating the fix is included in version 26.2.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-20T16:59:08.887Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c570d8f4197a8e3bef1f02
Added to database: 3/26/2026, 5:46:00 PM
Last enriched: 4/3/2026, 1:41:47 PM
Last updated: 5/10/2026, 7:39:53 AM
Views: 91
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.