CVE-2026-33495: CWE-862: Missing Authorization in ory oathkeeper
ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Ory Oathkeeper is often deployed behind other components like CDNs, WAFs, or reverse proxies. Depending on the setup, another component might forward the request to the Oathkeeper proxy with a different protocol (http vs. https) than the original request. In order to properly match the request against the configured rules, Oathkeeper considers the `X-Forwarded-Proto` header when evaluating rules. The configuration option `serve.proxy.trust_forwarded_headers` (defaults to false) governs whether this and other `X-Forwarded-*` headers should be trusted. Prior to version 26.2.0, Oathkeeper did not properly respect this configuration, and would always consider the `X-Forwarded-Proto` header. In order for an attacker to abuse this, an installation of Ory Oathkeeper needs to have distinct rules for HTTP and HTTPS requests. Also, the attacker needs to be able to trigger one but not the other rule. In this scenario, the attacker can send the same request but with the `X-Forwarded-Proto` header in order to trigger the other rule. We do not expect many configurations to meet these preconditions. Version 26.2.0 contains a patch. Ory Oathkeeper will correctly respect the `serve.proxy.trust_forwarded_headers` configuration going forward, thereby eliminating the attack scenario. We recommend upgrading to a fixed version even if the preconditions are not met. As an additional mitigation, it is generally recommended to drop any unexpected headers as early as possible when a request is handled, e.g. in the WAF.
AI Analysis
Technical Summary
ORY Oathkeeper is an Identity & Access Proxy that authorizes HTTP requests based on configured access rules, often deployed behind CDNs, WAFs, or reverse proxies. It relies on the X-Forwarded-Proto header to determine the original request protocol when requests are forwarded through intermediaries. The configuration option serve.proxy.trust_forwarded_headers controls whether Oathkeeper should trust this and other X-Forwarded-* headers, defaulting to false for security. However, versions prior to 26.2.0 contained a vulnerability (CVE-2026-33495) where Oathkeeper always trusted the X-Forwarded-Proto header regardless of this setting. This flaw could be exploited if an attacker can send requests with manipulated X-Forwarded-Proto headers and if the deployment has distinct access rules for HTTP versus HTTPS requests. By spoofing this header, an attacker might bypass authorization checks by triggering a less restrictive rule. The vulnerability is classified under CWE-862 (Missing Authorization). Exploitation does not require authentication or user interaction, but the attack surface is limited by the need for specific configuration and rule sets. The patch in version 26.2.0 ensures Oathkeeper respects the trust_forwarded_headers setting, preventing unauthorized header trust. It is recommended to upgrade even if the preconditions are not met, as a best practice. Additionally, dropping unexpected or untrusted headers early in the request processing chain (e.g., via WAF or reverse proxy) can further reduce risk.
Potential Impact
If exploited, this vulnerability could allow unauthorized users to bypass access control rules in ORY Oathkeeper by manipulating the X-Forwarded-Proto header, potentially gaining access to resources that should be restricted. The impact on confidentiality and integrity is limited to the scope of the affected access rules, which must be distinct for HTTP and HTTPS. There is no direct impact on availability. Since the vulnerability requires specific configurations and attacker capabilities, the overall risk is moderate. However, in environments where Oathkeeper protects sensitive APIs or services with differentiated rules, unauthorized access could lead to data exposure or privilege escalation. Organizations relying on Oathkeeper for critical access control should consider this a significant risk until patched. The absence of known exploits in the wild reduces immediate threat but does not eliminate the risk of future attacks.
Mitigation Recommendations
1. Upgrade ORY Oathkeeper to version 26.2.0 or later immediately to ensure the vulnerability is patched and the trust_forwarded_headers configuration is respected. 2. Review and simplify access rules to avoid distinct rules based solely on HTTP vs HTTPS protocol, reducing the attack surface. 3. Configure upstream components such as CDNs, WAFs, and reverse proxies to drop or sanitize unexpected or untrusted X-Forwarded-* headers early in the request processing pipeline. 4. Implement strict validation and normalization of incoming headers before they reach Oathkeeper. 5. Monitor logs for unusual or suspicious usage of the X-Forwarded-Proto header or access patterns that could indicate attempts to exploit this vulnerability. 6. Conduct security reviews of proxy and header trust configurations regularly to ensure they align with best practices. 7. Educate DevOps and security teams about the risks of trusting forwarded headers without proper validation.
Affected Countries
United States, Germany, Netherlands, United Kingdom, France, Canada, Australia, Japan, South Korea, India
CVE-2026-33495: CWE-862: Missing Authorization in ory oathkeeper
Description
ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Ory Oathkeeper is often deployed behind other components like CDNs, WAFs, or reverse proxies. Depending on the setup, another component might forward the request to the Oathkeeper proxy with a different protocol (http vs. https) than the original request. In order to properly match the request against the configured rules, Oathkeeper considers the `X-Forwarded-Proto` header when evaluating rules. The configuration option `serve.proxy.trust_forwarded_headers` (defaults to false) governs whether this and other `X-Forwarded-*` headers should be trusted. Prior to version 26.2.0, Oathkeeper did not properly respect this configuration, and would always consider the `X-Forwarded-Proto` header. In order for an attacker to abuse this, an installation of Ory Oathkeeper needs to have distinct rules for HTTP and HTTPS requests. Also, the attacker needs to be able to trigger one but not the other rule. In this scenario, the attacker can send the same request but with the `X-Forwarded-Proto` header in order to trigger the other rule. We do not expect many configurations to meet these preconditions. Version 26.2.0 contains a patch. Ory Oathkeeper will correctly respect the `serve.proxy.trust_forwarded_headers` configuration going forward, thereby eliminating the attack scenario. We recommend upgrading to a fixed version even if the preconditions are not met. As an additional mitigation, it is generally recommended to drop any unexpected headers as early as possible when a request is handled, e.g. in the WAF.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
ORY Oathkeeper is an Identity & Access Proxy that authorizes HTTP requests based on configured access rules, often deployed behind CDNs, WAFs, or reverse proxies. It relies on the X-Forwarded-Proto header to determine the original request protocol when requests are forwarded through intermediaries. The configuration option serve.proxy.trust_forwarded_headers controls whether Oathkeeper should trust this and other X-Forwarded-* headers, defaulting to false for security. However, versions prior to 26.2.0 contained a vulnerability (CVE-2026-33495) where Oathkeeper always trusted the X-Forwarded-Proto header regardless of this setting. This flaw could be exploited if an attacker can send requests with manipulated X-Forwarded-Proto headers and if the deployment has distinct access rules for HTTP versus HTTPS requests. By spoofing this header, an attacker might bypass authorization checks by triggering a less restrictive rule. The vulnerability is classified under CWE-862 (Missing Authorization). Exploitation does not require authentication or user interaction, but the attack surface is limited by the need for specific configuration and rule sets. The patch in version 26.2.0 ensures Oathkeeper respects the trust_forwarded_headers setting, preventing unauthorized header trust. It is recommended to upgrade even if the preconditions are not met, as a best practice. Additionally, dropping unexpected or untrusted headers early in the request processing chain (e.g., via WAF or reverse proxy) can further reduce risk.
Potential Impact
If exploited, this vulnerability could allow unauthorized users to bypass access control rules in ORY Oathkeeper by manipulating the X-Forwarded-Proto header, potentially gaining access to resources that should be restricted. The impact on confidentiality and integrity is limited to the scope of the affected access rules, which must be distinct for HTTP and HTTPS. There is no direct impact on availability. Since the vulnerability requires specific configurations and attacker capabilities, the overall risk is moderate. However, in environments where Oathkeeper protects sensitive APIs or services with differentiated rules, unauthorized access could lead to data exposure or privilege escalation. Organizations relying on Oathkeeper for critical access control should consider this a significant risk until patched. The absence of known exploits in the wild reduces immediate threat but does not eliminate the risk of future attacks.
Mitigation Recommendations
1. Upgrade ORY Oathkeeper to version 26.2.0 or later immediately to ensure the vulnerability is patched and the trust_forwarded_headers configuration is respected. 2. Review and simplify access rules to avoid distinct rules based solely on HTTP vs HTTPS protocol, reducing the attack surface. 3. Configure upstream components such as CDNs, WAFs, and reverse proxies to drop or sanitize unexpected or untrusted X-Forwarded-* headers early in the request processing pipeline. 4. Implement strict validation and normalization of incoming headers before they reach Oathkeeper. 5. Monitor logs for unusual or suspicious usage of the X-Forwarded-Proto header or access patterns that could indicate attempts to exploit this vulnerability. 6. Conduct security reviews of proxy and header trust configurations regularly to ensure they align with best practices. 7. Educate DevOps and security teams about the risks of trusting forwarded headers without proper validation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-20T16:59:08.887Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c570d8f4197a8e3bef1f06
Added to database: 3/26/2026, 5:46:00 PM
Last enriched: 3/26/2026, 6:01:42 PM
Last updated: 3/26/2026, 7:38:47 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.