{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/ory/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Oathkeeper"],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","vulnerability","oathkeeper","cache-poisoning","cloud"],"_cs_type":"advisory","_cs_vendors":["ORY"],"content_html":"\u003cp\u003eORY Oathkeeper, an Identity \u0026amp; Access Proxy, is susceptible to an authentication bypass vulnerability (CVE-2026-33496) affecting versions prior to 26.2.0. This vulnerability stems from a cache key confusion issue within the \u003ccode\u003eoauth2_introspection\u003c/code\u003e authenticator. The cache fails to differentiate between tokens validated using different introspection URLs. This allows an attacker, who has legitimately obtained a valid token for one of the configured introspection servers, to prime the cache and subsequently reuse the same token for access rules intended for a different introspection server. The attack requires the Oathkeeper instance to be configured with multiple \u003ccode\u003eoauth2_introspection\u003c/code\u003e authenticators, all utilizing caching. This poses a significant risk as it enables unauthorized access to protected resources. Version 26.2.0 addresses this issue by incorporating the introspection server URL into the cache key.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an ORY Oathkeeper instance running a version prior to 26.2.0 configured with multiple \u003ccode\u003eoauth2_introspection\u003c/code\u003e authenticators using caching.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains a valid OAuth2 token for one of the configured introspection endpoints, potentially through legitimate means or by compromising a service that issues tokens for that endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to a protected resource that is governed by an access rule configured to use the compromised token's introspection endpoint. This primes the Oathkeeper's cache with the token's validation result.\u003c/li\u003e\n\u003cli\u003eThe attacker then crafts a second request to a \u003cem\u003edifferent\u003c/em\u003e protected resource that is governed by an access rule configured to use a \u003cem\u003edifferent\u003c/em\u003e introspection endpoint. Critically, this request uses the \u003cem\u003esame\u003c/em\u003e token.\u003c/li\u003e\n\u003cli\u003eDue to the cache key collision, Oathkeeper incorrectly uses the cached validation result from the first introspection endpoint for the second request.\u003c/li\u003e\n\u003cli\u003eIf the token is considered valid based on the cached result (even though it should be invalid for the second introspection endpoint), Oathkeeper grants unauthorized access to the protected resource.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully bypasses authentication and gains access to a resource they should not be authorized to access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33496 allows an attacker to bypass authentication and gain unauthorized access to protected resources managed by ORY Oathkeeper. The number of affected organizations depends on the adoption rate of ORY Oathkeeper and the number of instances running vulnerable versions with the specific misconfiguration (multiple \u003ccode\u003eoauth2_introspection\u003c/code\u003e authenticators with caching enabled). If exploited, this vulnerability can lead to data breaches, unauthorized modification of resources, and other security incidents.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ORY Oathkeeper to version 26.2.0 or later to incorporate the fix for CVE-2026-33496.\u003c/li\u003e\n\u003cli\u003eAs a temporary workaround, disable caching for \u003ccode\u003eoauth2_introspection\u003c/code\u003e authenticators to mitigate the vulnerability until an upgrade can be performed, as suggested in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-ory-oathkeeper-auth-bypass/","summary":"ORY Oathkeeper before 26.2.0 is vulnerable to authentication bypass (CVE-2026-33496) due to cache key confusion in the `oauth2_introspection` authenticator, allowing attackers with a valid token to bypass authentication by reusing it with different introspection URLs.","title":"ORY Oathkeeper Authentication Bypass Vulnerability (CVE-2026-33496)","url":"https://feed.craftedsignal.io/briefs/2024-01-ory-oathkeeper-auth-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Keto"],"_cs_severities":["critical"],"_cs_tags":["sql-injection","vulnerability","ory-keto","cve-2026-33505"],"_cs_type":"advisory","_cs_vendors":["Ory"],"content_html":"\u003cp\u003eOry Keto, an open-source authorization server designed for managing permissions at scale, is susceptible to a SQL injection vulnerability (CVE-2026-33505) affecting versions prior to 26.2.0. This vulnerability resides within the GetRelationships API due to insecure pagination token handling. The application uses a secret configured in \u003ccode\u003esecrets.pagination\u003c/code\u003e to encrypt pagination tokens. However, if this configuration is absent, it defaults to a publicly known hard-coded secret. An attacker who knows the secret can craft malicious pagination tokens, enabling SQL injection. This impacts organizations where the GetRelationships API is accessible, the attacker can inject a raw pagination token, and the \u003ccode\u003esecrets.pagination\u003c/code\u003e value is either not set or known. This allows an attacker to execute arbitrary SQL queries against the Ory Keto database, potentially compromising sensitive data and control over the authorization server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an Ory Keto instance running a version prior to 26.2.0.\u003c/li\u003e\n\u003cli\u003eThe attacker determines that the \u003ccode\u003esecrets.pagination\u003c/code\u003e configuration value is not set on the target Ory Keto instance, enabling the default hardcoded secret.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SQL payload designed to be injected into the GetRelationships API.\u003c/li\u003e\n\u003cli\u003eThe attacker generates a valid-looking pagination token using the known default \u003ccode\u003esecrets.pagination\u003c/code\u003e secret, embedding the malicious SQL payload within the token.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to the GetRelationships API with the forged pagination token.\u003c/li\u003e\n\u003cli\u003eThe Ory Keto application processes the request and decrypts the pagination token, unknowingly passing the malicious SQL payload to the database query.\u003c/li\u003e\n\u003cli\u003eThe database executes the attacker's SQL query.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive information or executes arbitrary database commands.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-33505) in Ory Keto can have severe consequences. An attacker could potentially gain unauthorized access to sensitive permission data, modify access control policies, or even compromise the entire authorization server. This can lead to privilege escalation, data breaches, and complete control over the systems relying on Ory Keto for authorization. The CVSS v3.1 base score for this vulnerability is rated as 7.2 (High), highlighting the significant risk it poses to organizations using affected versions of Ory Keto.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately configure a custom value for \u003ccode\u003esecrets.pagination\u003c/code\u003e by generating a cryptographically secure random secret to mitigate CVE-2026-33505.\u003c/li\u003e\n\u003cli\u003eUpgrade Keto to version 26.2.0 or later to patch CVE-2026-33505, addressing the underlying SQL injection vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the GetRelationships API containing unusual pagination tokens to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the GetRelationships API to reduce the impact of potential SQL injection attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-ory-keto-sql-injection/","summary":"Ory Keto versions prior to 26.2.0 are vulnerable to SQL injection via the GetRelationships API due to flaws in its pagination implementation, enabling attackers with knowledge of the pagination secret (or the default secret) to craft malicious tokens leading to arbitrary SQL query execution.","title":"Ory Keto SQL Injection Vulnerability via GetRelationships API (CVE-2026-33505)","url":"https://feed.craftedsignal.io/briefs/2024-01-ory-keto-sql-injection/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Oathkeeper"],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-33494","ORY Oathkeeper","path traversal","authorization bypass"],"_cs_type":"advisory","_cs_vendors":["ORY"],"content_html":"\u003cp\u003eORY Oathkeeper, an Identity \u0026amp; Access Proxy (IAP) and Access Control Decision API, is susceptible to an authorization bypass vulnerability affecting versions prior to 26.2.0. This vulnerability, identified as CVE-2026-33494, stems from improper handling of HTTP path traversal sequences. Attackers can exploit this flaw by crafting malicious URLs containing sequences like \u003ccode\u003e/public/../admin/secrets\u003c/code\u003e. The application normalizes the path, resolving it to a protected resource. However, the authorization check uses the original, un-normalized path, potentially matching it against a permissive rule and granting unauthorized access. Organizations using affected versions of ORY Oathkeeper are at risk of unauthorized access to sensitive data and functionalities. Version 26.2.0 addresses this vulnerability with a patch.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an ORY Oathkeeper instance running a version prior to 26.2.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request URL containing path traversal sequences, such as \u003ccode\u003e/public/../admin/secrets\u003c/code\u003e, targeting a protected resource.\u003c/li\u003e\n\u003cli\u003eThe request is sent to the ORY Oathkeeper instance.\u003c/li\u003e\n\u003cli\u003eORY Oathkeeper receives the request and normalizes the path, correctly resolving it to \u003ccode\u003e/admin/secrets\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eHowever, the authorization check uses the raw, un-normalized path (\u003ccode\u003e/public/../admin/secrets\u003c/code\u003e) to evaluate access rules.\u003c/li\u003e\n\u003cli\u003eA permissive rule matching the un-normalized path is found, potentially granting access.\u003c/li\u003e\n\u003cli\u003eORY Oathkeeper incorrectly authorizes the request based on the flawed path evaluation.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the protected resource \u003ccode\u003e/admin/secrets\u003c/code\u003e, potentially exfiltrating sensitive information or performing unauthorized actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33494 allows attackers to bypass intended access controls within ORY Oathkeeper deployments. This can lead to unauthorized access to sensitive data, configuration settings, and administrative functionalities. Given the role of ORY Oathkeeper in securing HTTP requests, a successful attack can compromise the confidentiality and integrity of protected applications and resources. The CVSS v3.1 base score of 10.0 reflects the criticality of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade ORY Oathkeeper to version 26.2.0 or later to remediate CVE-2026-33494.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect ORY Oathkeeper Path Traversal Attempts\u0026quot; to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests containing path traversal sequences (e.g., \u003ccode\u003e..\u003c/code\u003e, \u003ccode\u003e%2e%2e\u003c/code\u003e) in the URI, as detected by the Sigma rule \u0026quot;Detect Generic HTTP Path Traversal\u0026quot;.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to block requests with malicious path traversal patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-ory-oathkeeper-path-traversal/","summary":"ORY Oathkeeper versions prior to 26.2.0 are vulnerable to an authorization bypass (CVE-2026-33494) via HTTP path traversal, enabling attackers to access protected resources by crafting URLs with path traversal sequences.","title":"ORY Oathkeeper Authorization Bypass via Path Traversal (CVE-2026-33494)","url":"https://feed.craftedsignal.io/briefs/2024-01-ory-oathkeeper-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed - ORY","version":"https://jsonfeed.org/version/1.1"}