ORY Oathkeeper is an Identity & Access Proxy (IAP) that authorizes HTTP requests based on access rules and supports multiple oauth2_introspection authenticators configured with different introspection server URLs. Prior to version 26.2.0, the oauth2_introspection authenticator caches token validation results but uses a cache key that does not include the introspection server URL. This leads to cache key confusion where a token validated against one introspection server can be reused to satisfy authentication checks for other introspection servers. An attacker who obtains a valid token for one introspection server can prime the cache with that token, then access resources protected by rules using different introspection servers without revalidation. This effectively bypasses intended authentication boundaries between different introspection servers. The vulnerability stems from improper validation of unsafe equivalence in input (CWE-1289) and insufficient authentication checks (CWE-305). The flaw requires that caching is enabled for oauth2_introspection authenticators and that multiple introspection servers are configured. The fix in version 26.2.0 adds the introspection server URL to the cache key, preventing token reuse across different servers. If immediate upgrade is not possible, disabling caching for oauth2_introspection authenticators prevents exploitation. No known exploits are reported in the wild as of now.

This vulnerability allows attackers with a valid token for one introspection server to bypass authentication controls on other introspection servers configured in the same Oathkeeper deployment. This can lead to unauthorized access to protected resources, compromising confidentiality and integrity of sensitive data and services. Organizations relying on Oathkeeper for fine-grained access control with multiple oauth2_introspection servers are at risk of privilege escalation and unauthorized resource access. The impact is significant in environments where different introspection servers represent different trust domains or client applications. Although availability is not affected, the breach of authentication boundaries can undermine trust in the identity and access management infrastructure, potentially leading to data breaches, compliance violations, and reputational damage.

1. Upgrade ORY Oathkeeper to version 26.2.0 or later, which includes the fix that incorporates the introspection server URL into the cache key, eliminating cache key confusion. 2. If upgrading immediately is not feasible, disable caching for oauth2_introspection authenticators in the Oathkeeper configuration to prevent token reuse across different introspection servers. 3. Review and audit all oauth2_introspection authenticator configurations to ensure that multiple introspection servers are necessary and properly segregated. 4. Implement strict token issuance policies and monitor token usage to detect anomalous reuse patterns. 5. Employ network segmentation and access controls to limit exposure of introspection servers. 6. Regularly update and patch identity and access management components to minimize exposure to known vulnerabilities. 7. Conduct penetration testing and security assessments focusing on authentication mechanisms and caching behavior in Oathkeeper deployments.