CVE-2026-33494
Published: 26 March 2026
Summary
CVE-2026-33494 is a critical-severity Relative Path Traversal (CWE-23) vulnerability in Ory Oathkeeper. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of HTTP path inputs to detect and reject path traversal sequences before authorization rule evaluation.
Mandates enforcement mechanisms that correctly apply access policies to normalized paths, preventing bypass via raw un-normalized path matching.
Ensures access control decisions in the proxy are compiled using properly processed security attributes like normalized resource paths.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass via HTTP path traversal in public-facing Oathkeeper IAP directly enables T1190 (Exploit Public-Facing Application) by allowing unauthenticated remote attackers to bypass access rules and reach protected resources.
NVD Description
ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to an authorization bypass via HTTP path traversal. An attacker…
more
can craft a URL containing path traversal sequences (e.g. `/public/../admin/secrets`) that resolves to a protected path after normalization, but is matched against a permissive rule because the raw, un-normalized path is used during rule evaluation. Version 26.2.0 contains a patch.
Deeper analysisAI
CVE-2026-33494 is an authorization bypass vulnerability in ORY Oathkeeper, an Identity & Access Proxy (IAP) and Access Control Decision API used to authorize HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are affected due to improper path handling during rule evaluation, allowing HTTP path traversal. Specifically, an attacker can craft a URL with path traversal sequences, such as `/public/../admin/secrets`, where the raw, un-normalized path matches a permissive rule, even though normalization resolves it to a protected path. The vulnerability is rated with a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N) and is associated with CWE-23 (Relative Path Traversal).
The attack requires no privileges and can be conducted remotely over the network with low complexity. An unauthenticated attacker sends a specially crafted HTTP request to Oathkeeper, exploiting the mismatch between raw path matching in rules and post-normalization resolution. Successful exploitation bypasses authorization controls, granting access to sensitive protected resources, resulting in high confidentiality and integrity impacts with a changed scope.
Mitigation is available in Oathkeeper version 26.2.0, which patches the path normalization issue during rule evaluation. The ORY Oathkeeper security advisory (GHSA-p224-6x5r-fjpm) and the patching commit (8e0002140491c592db41fa141dc6ad68f417e2b2) on GitHub provide full details on the fix and recommend upgrading immediately.
Details
- CWE(s)