CVE Tools
Sign in

CVE-2026-33496

Ory Oathkeeper has an authentication bypass by cache key confusion

Published: Mar 26, 2026Updated: Apr 7, 2026 Sources: CVE List NVDCWE-305
NVD MITRE
8.1CVSSHIGH
EPSS Score
0.3%
Top 75.1%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to authentication bypass due to cache key confusion. The `oauth2_introspection` authenticator cache does not distinguish tokens that were validated with different introspection URLs. An attacker can therefore legitimately use a token to prime the cache, and subsequently use the same token for rules that use a different introspection server. Ory Oathkeeper has to be configured with multiple `oauth2_introspection` authenticator servers, each accepting different tokens. The authenticators also must be configured to use caching. An attacker has to have a way to gain a valid token for one of the configured introspection servers. Starting in version 26.2.0, Ory Oathkeeper includes the introspection server URL in the cache key, preventing confusion of tokens. Update to the patched version of Ory Oathkeeper. If that is not immediately possible, disable caching for `oauth2_introspection` authenticators.

CVSS Vector Breakdown

AV:NAC:LPR:LUI:NS:UC:HI:HA:N
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:LPrivileges Required
Low
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:HConfidentiality
High
I:HIntegrity
High
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-305CWE-1289

Affected Products

oathkeeperory
Mixed
Security Products / identity-access-mgmt
orycommercialCHSecurity Productsaka fosite, oathkeeper, hydra

Exploitability

Official Patch Available
Workaround Available

References

https://github.com/ory/oathkeeper/security/advisories/GHSA-4mq7-pvjg-xp2r
github.com
https://github.com/ory/oathkeeper/commit/198a2bc82a99e0a77bd0ffe290cbdd5285a1b17c
github.com

Timeline

Published
Mar 26, 2026
Last Updated
Apr 7, 2026

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-33496 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows