ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on predefined access rules. Versions prior to 26.2.0 contain a critical vulnerability (CVE-2026-33494) categorized as CWE-23 (Relative Path Traversal). The vulnerability arises because the system evaluates access rules against the raw, un-normalized HTTP request path rather than the normalized path. Attackers can exploit this by crafting URLs with relative path traversal sequences such as `/public/../admin/secrets`. After normalization, this path resolves to a protected resource, but the access control logic incorrectly matches it against a permissive rule due to the un-normalized path evaluation. This results in an authorization bypass, allowing attackers to access sensitive resources without proper permissions. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. The CVSS v3.1 base score is 10.0, reflecting its critical impact on confidentiality and integrity with no availability impact. The issue was fixed in ORY Oathkeeper version 26.2.0 by ensuring that access rules are evaluated against normalized paths, preventing traversal bypasses.

This vulnerability can have severe consequences for organizations using vulnerable versions of ORY Oathkeeper. Since Oathkeeper is often deployed as a gatekeeper for identity and access management in microservices and API environments, an attacker exploiting this flaw can bypass authorization controls and gain unauthorized access to sensitive internal endpoints, confidential data, or administrative interfaces. This compromises confidentiality and integrity, potentially leading to data breaches, unauthorized data modification, or exposure of secrets. The critical nature of the vulnerability and its ease of exploitation (no authentication or user interaction required) make it a high-risk threat. Organizations relying on Oathkeeper for access control in cloud-native or distributed environments are particularly at risk, as this could undermine the entire security posture of their API gateways and identity proxies.

The primary mitigation is to upgrade ORY Oathkeeper to version 26.2.0 or later, where the vulnerability is patched. Until the upgrade can be performed, organizations should implement strict input validation and normalization of HTTP request paths before they reach Oathkeeper to prevent path traversal sequences from being processed. Additionally, deploying Web Application Firewalls (WAFs) with rules to detect and block path traversal attempts can reduce exposure. Organizations should audit their access rules to ensure no overly permissive rules exist that could be exploited via path manipulation. Monitoring and logging HTTP requests for suspicious path traversal patterns can help detect exploitation attempts. Finally, conducting a security review of all API gateways and proxies for similar path normalization issues is recommended to prevent analogous vulnerabilities.