{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ory-oathkeeper/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Oathkeeper"],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-33494","ORY Oathkeeper","path traversal","authorization bypass"],"_cs_type":"advisory","_cs_vendors":["ORY"],"content_html":"\u003cp\u003eORY Oathkeeper, an Identity \u0026amp; Access Proxy (IAP) and Access Control Decision API, is susceptible to an authorization bypass vulnerability affecting versions prior to 26.2.0. This vulnerability, identified as CVE-2026-33494, stems from improper handling of HTTP path traversal sequences. Attackers can exploit this flaw by crafting malicious URLs containing sequences like \u003ccode\u003e/public/../admin/secrets\u003c/code\u003e. The application normalizes the path, resolving it to a protected resource. However, the authorization check uses the original, un-normalized path, potentially matching it against a permissive rule and granting unauthorized access. Organizations using affected versions of ORY Oathkeeper are at risk of unauthorized access to sensitive data and functionalities. Version 26.2.0 addresses this vulnerability with a patch.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an ORY Oathkeeper instance running a version prior to 26.2.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request URL containing path traversal sequences, such as \u003ccode\u003e/public/../admin/secrets\u003c/code\u003e, targeting a protected resource.\u003c/li\u003e\n\u003cli\u003eThe request is sent to the ORY Oathkeeper instance.\u003c/li\u003e\n\u003cli\u003eORY Oathkeeper receives the request and normalizes the path, correctly resolving it to \u003ccode\u003e/admin/secrets\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eHowever, the authorization check uses the raw, un-normalized path (\u003ccode\u003e/public/../admin/secrets\u003c/code\u003e) to evaluate access rules.\u003c/li\u003e\n\u003cli\u003eA permissive rule matching the un-normalized path is found, potentially granting access.\u003c/li\u003e\n\u003cli\u003eORY Oathkeeper incorrectly authorizes the request based on the flawed path evaluation.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the protected resource \u003ccode\u003e/admin/secrets\u003c/code\u003e, potentially exfiltrating sensitive information or performing unauthorized actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33494 allows attackers to bypass intended access controls within ORY Oathkeeper deployments. This can lead to unauthorized access to sensitive data, configuration settings, and administrative functionalities. Given the role of ORY Oathkeeper in securing HTTP requests, a successful attack can compromise the confidentiality and integrity of protected applications and resources. The CVSS v3.1 base score of 10.0 reflects the criticality of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade ORY Oathkeeper to version 26.2.0 or later to remediate CVE-2026-33494.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect ORY Oathkeeper Path Traversal Attempts\u0026quot; to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests containing path traversal sequences (e.g., \u003ccode\u003e..\u003c/code\u003e, \u003ccode\u003e%2e%2e\u003c/code\u003e) in the URI, as detected by the Sigma rule \u0026quot;Detect Generic HTTP Path Traversal\u0026quot;.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to block requests with malicious path traversal patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-ory-oathkeeper-path-traversal/","summary":"ORY Oathkeeper versions prior to 26.2.0 are vulnerable to an authorization bypass (CVE-2026-33494) via HTTP path traversal, enabling attackers to access protected resources by crafting URLs with path traversal sequences.","title":"ORY Oathkeeper Authorization Bypass via Path Traversal (CVE-2026-33494)","url":"https://feed.craftedsignal.io/briefs/2024-01-ory-oathkeeper-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed - ORY Oathkeeper","version":"https://jsonfeed.org/version/1.1"}