CVE-2026-33494

Name of the Vulnerable Software and Affected Versions Ory Oathkeeper (affected versions not specified)

Description Ory Oathkeeper is susceptible to an authorization bypass due to a path traversal issue. An attacker can potentially bypass security checks by crafting URLs with path traversal sequences, such as /public/../admin/secrets, which are matched against permissive rules due to the lack of path normalization during rule evaluation. The system initially matches the raw, un-normalized path, allowing access to protected resources. The issue occurs because the raw request path is used during rule evaluation before normalization. The affected software has been updated to normalize the request path before rule matching and forwarding. As a defense in depth measure, normalizing HTTP paths in front of Oathkeeper is recommended. Specific reverse proxies and CDNs, such as Nginx, Envoy, and Cloudflare, offer features to normalize paths. Nginx normalizes paths by default when using proxy pass or by using $uri instead of $request uri. Envoy offers the normalize path option (available since Envoy 1.14). Cloudflare normalizes URLs by default, with the option to enable Normalize incoming URLs in the dashboard.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.