HIGH🇵🇱 Wersja polska

CVE-2026-33496

CVSS 8.1v3.1pub. 2026-03-26upd. 2026-04-07

ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to authentication bypass due to cache key confusion. The `oauth2_introspection` authenticator cache does not distinguish tokens that were validated with different introspection URLs. An attacker can therefore legitimately use a token to prime the cache, and subsequently use the same token for rules that use a different introspection server. Ory Oathkeeper has to be configured with multiple `oauth2_introspection` authenticator servers, each accepting different tokens. The authenticators also must be configured to use caching. An attacker has to have a way to gain a valid token for one of the configured introspection servers. Starting in version 26.2.0, Ory Oathkeeper includes the introspection server URL in the cache key, preventing confusion of tokens. Update to the patched version of Ory Oathkeeper. If that is not immediately possible, disable caching for `oauth2_introspection` authenticators.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
  • Ory Oathkeeper

    APP
    Ory
    < 26.2.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2026-33494CRITICAL10.0PL ✓ten sam produkt

Ory Oathkeeper: pominięcie autoryzacji przez path traversal w URL

CVE-2021-32701HIGH7.5ten sam produkt

ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP reques...

CVE-2026-33495MEDIUM6.5ten sam produkt

ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP reques...

CVE-2026-33503HIGH7.2ten sam vendor

Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 26.2...

CVE-2026-33504HIGH7.2ten sam vendor

Ory Hydra is an OAuth 2.0 Server and OpenID Connect Provider. Prior to version 26.2.0, the listOAuth2Clients, ...