Lucene search
K

205 matches found

ATTACKERKB
ATTACKERKB
added 2026/03/26 5:29 p.m.4 views

CVE-2026-33496

ORY Oathkeeper is an Identity & Access Proxy IAP and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to authentication bypass due to cache key confusion. The oauth2introspection authenticator cache does not distingui...

8.1CVSS5.8AI score0.00333EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/03/26 5:29 p.m.16 views

CVE-2026-33496

Overview: CVE-2026-33496 affects ORY Oathkeeper (Identity & Access Proxy) prior to version 26.2.0, where the oauth2_introspection authenticator cache fails to distinguish tokens across different introspection URLs, enabling authentication bypass via cache key confusion. Impact (as described): An ...

8.1CVSS5.8AI score0.00333EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/26 5:29 p.m.4 views

CVE-2026-33496 Ory Oathkeeper has an authentication bypass by cache key confusion

ORY Oathkeeper is an Identity & Access Proxy IAP and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to authentication bypass due to cache key confusion. The oauth2introspection authenticator cache does not distingui...

8.1CVSS5.9AI score0.00333EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/03/26 12:0 a.m.11 views

Ory Oathkeeper 安全漏洞

Ory Oathkeeper is an access control decision-making software developed by Ory OpenSource. Versions of Ory Oathkeeper prior to 26.2.0 contained security vulnerabilities. These vulnerabilities were caused by a cache key confusion in the oauth2introspection authentication mechanism, which could lead...

8.1CVSS6.4AI score0.00333EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/23 6:16 p.m.2 views

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication due to cache key confusion. An attacker can gain unauthorized access by using a token to prime the cache, and subsequently use the same token for rules that use a different introspection server. Note: This is onl...

8.1CVSS5.8AI score0.00333EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/23 6:16 p.m.1 views

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication due to cache key confusion. An attacker can gain unauthorized access by using a token to prime the cache, and subsequently use the same token for rules that use a different introspection server. Note: This is onl...

8.1CVSS5.8AI score0.00333EPSS
Exploits0References3
OSV
OSV
added 2026/03/23 6:16 p.m.9 views

GO-2026-4799 Ory Oathkeeper has an authentication bypass by cache key confusion in github.com/ory/oathkeeper

Ory Oathkeeper has an authentication bypass by cache key confusion in github.com/ory/oathkeeper...

8.1CVSS5.8AI score0.00333EPSS
Exploits0References2
OSV
OSV
added 2026/03/20 8:51 p.m.7 views

GHSA-4MQ7-PVJG-XP2R Ory Oathkeeper has an authentication bypass by cache key confusion

Description Ory Oathkeeper is vulnerable to authentication bypass due to cache key confusion. The oauth2introspection authenticator cache does not distinguish tokens that were validated with different introspection URLs. An attacker can therefore legitimately use a token to prime the cache, and...

8.1CVSS5.8AI score0.00333EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/03/20 8:51 p.m.9 views

Ory Oathkeeper has an authentication bypass by cache key confusion

Description Ory Oathkeeper is vulnerable to authentication bypass due to cache key confusion. The oauth2introspection authenticator cache does not distinguish tokens that were validated with different introspection URLs. An attacker can therefore legitimately use a token to prime the cache, and...

8.1CVSS5.8AI score0.00333EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/20 12:0 a.m.4 views

PT-2026-26780

Name of the Vulnerable Software and Affected Versions Ory Oathkeeper affected versions not specified Description Ory Oathkeeper is susceptible to authentication bypass due to cache key confusion within the oauth2 introspection authenticator. The caching mechanism does not differentiate between...

8.1CVSS5.8AI score0.00333EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/03/06 1:34 a.m.5 views

CVE-2026-2836

A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host header authority...

8.4CVSS5.8AI score0.00394EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/05 8:57 p.m.4 views

EUVD-2026-9512

Pingora vulnerable to cache poisoning via insecure-by-default cache key...

8.4CVSS5.9AI score0.00394EPSS
Exploits0References4
OSV
OSV
added 2026/03/05 8:57 p.m.6 views

GHSA-F93W-PCJ3-RGGC Pingora vulnerable to cache poisoning via insecure-by-default cache key

Impact Pingora versions prior to 0.8.0 generated cache keys using only the URI path, excluding critical factors such as the host header. This allows an attacker to poison the cache and serve cross-origin responses to users. This vulnerability affects users of Pingora's alpha proxy caching feature...

8.4CVSS5.8AI score0.00394EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/03/05 8:57 p.m.7 views

Pingora vulnerable to cache poisoning via insecure-by-default cache key

Impact Pingora versions prior to 0.8.0 generated cache keys using only the URI path, excluding critical factors such as the host header. This allows an attacker to poison the cache and serve cross-origin responses to users. This vulnerability affects users of Pingora's alpha proxy caching feature...

8.4CVSS5.8AI score0.00394EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/03/05 12:31 a.m.4 views

GHSA-2M8C-2374-465F Duplicate Advisory: Cache poisoning via insecure-by-default cache key

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-f93w-pcj3-rggc. This link is maintained to preserve external references. Original Description A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction...

8.4CVSS5.8AI score0.00394EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/03/05 12:31 a.m.8 views

Duplicate Advisory: Cache poisoning via insecure-by-default cache key

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-f93w-pcj3-rggc. This link is maintained to preserve external references. Original Description A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction...

8.4CVSS5.8AI score0.00394EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/03/05 12:15 a.m.4 views

CVE-2026-2836

A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host header authority...

8.1CVSS5.7AI score
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/04 11:44 p.m.3 views

CVE-2026-2836 Cache poisoning via insecure-by-default cache key

A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host header authority...

8.4CVSS5.7AI score0.00394EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/04 11:44 p.m.28 views

CVE-2026-2836 Cache poisoning via insecure-by-default cache key

A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host header authority...

8.4CVSS0.00394EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/03/04 11:44 p.m.9 views

CVE-2026-2836

A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host header authority...

8.4CVSS5.8AI score0.00394EPSS
Exploits0References2
Rows per page
Query Builder