CVE-2026-33495

Name of the Vulnerable Software and Affected Versions Ory Oathkeeper (affected versions not specified)

Description Ory Oathkeeper, when deployed behind components like CDNs or reverse proxies, may incorrectly evaluate rules due to improper handling of the X-Forwarded-Proto header. The configuration option serve.proxy.trust forwarded headers was not properly respected, leading Oathkeeper to always consider this header, even when it should not. This could allow an attacker to trigger different rules by manipulating the X-Forwarded-Proto header, provided distinct rules exist for HTTP and HTTPS requests and the attacker can trigger one but not the other.

Recommendations Upgrade to a fixed version of Ory Oathkeeper. It is generally recommended to drop any unexpected headers as early as possible when a request is handled, for example, in a WAF.