{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/oathkeeper/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Oathkeeper"],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","vulnerability","oathkeeper","cache-poisoning","cloud"],"_cs_type":"advisory","_cs_vendors":["ORY"],"content_html":"\u003cp\u003eORY Oathkeeper, an Identity \u0026amp; Access Proxy, is susceptible to an authentication bypass vulnerability (CVE-2026-33496) affecting versions prior to 26.2.0. This vulnerability stems from a cache key confusion issue within the \u003ccode\u003eoauth2_introspection\u003c/code\u003e authenticator. The cache fails to differentiate between tokens validated using different introspection URLs. This allows an attacker, who has legitimately obtained a valid token for one of the configured introspection servers, to prime the cache and subsequently reuse the same token for access rules intended for a different introspection server. The attack requires the Oathkeeper instance to be configured with multiple \u003ccode\u003eoauth2_introspection\u003c/code\u003e authenticators, all utilizing caching. This poses a significant risk as it enables unauthorized access to protected resources. Version 26.2.0 addresses this issue by incorporating the introspection server URL into the cache key.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an ORY Oathkeeper instance running a version prior to 26.2.0 configured with multiple \u003ccode\u003eoauth2_introspection\u003c/code\u003e authenticators using caching.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains a valid OAuth2 token for one of the configured introspection endpoints, potentially through legitimate means or by compromising a service that issues tokens for that endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to a protected resource that is governed by an access rule configured to use the compromised token's introspection endpoint. This primes the Oathkeeper's cache with the token's validation result.\u003c/li\u003e\n\u003cli\u003eThe attacker then crafts a second request to a \u003cem\u003edifferent\u003c/em\u003e protected resource that is governed by an access rule configured to use a \u003cem\u003edifferent\u003c/em\u003e introspection endpoint. Critically, this request uses the \u003cem\u003esame\u003c/em\u003e token.\u003c/li\u003e\n\u003cli\u003eDue to the cache key collision, Oathkeeper incorrectly uses the cached validation result from the first introspection endpoint for the second request.\u003c/li\u003e\n\u003cli\u003eIf the token is considered valid based on the cached result (even though it should be invalid for the second introspection endpoint), Oathkeeper grants unauthorized access to the protected resource.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully bypasses authentication and gains access to a resource they should not be authorized to access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33496 allows an attacker to bypass authentication and gain unauthorized access to protected resources managed by ORY Oathkeeper. The number of affected organizations depends on the adoption rate of ORY Oathkeeper and the number of instances running vulnerable versions with the specific misconfiguration (multiple \u003ccode\u003eoauth2_introspection\u003c/code\u003e authenticators with caching enabled). If exploited, this vulnerability can lead to data breaches, unauthorized modification of resources, and other security incidents.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ORY Oathkeeper to version 26.2.0 or later to incorporate the fix for CVE-2026-33496.\u003c/li\u003e\n\u003cli\u003eAs a temporary workaround, disable caching for \u003ccode\u003eoauth2_introspection\u003c/code\u003e authenticators to mitigate the vulnerability until an upgrade can be performed, as suggested in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-ory-oathkeeper-auth-bypass/","summary":"ORY Oathkeeper before 26.2.0 is vulnerable to authentication bypass (CVE-2026-33496) due to cache key confusion in the `oauth2_introspection` authenticator, allowing attackers with a valid token to bypass authentication by reusing it with different introspection URLs.","title":"ORY Oathkeeper Authentication Bypass Vulnerability (CVE-2026-33496)","url":"https://feed.craftedsignal.io/briefs/2024-01-ory-oathkeeper-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Oathkeeper","version":"https://jsonfeed.org/version/1.1"}