Lucene search
K

8 matches found

CVE
CVE
added 2026/03/26 5:29 p.m.17 views

CVE-2026-33496

Overview: CVE-2026-33496 affects ORY Oathkeeper (Identity & Access Proxy) prior to version 26.2.0, where the oauth2_introspection authenticator cache fails to distinguish tokens across different introspection URLs, enabling authentication bypass via cache key confusion. Impact (as described): An ...

8.1CVSS5.8AI score0.00333EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/26 5:29 p.m.4 views

CVE-2026-33496

ORY Oathkeeper is an Identity & Access Proxy IAP and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to authentication bypass due to cache key confusion. The oauth2introspection authenticator cache does not distingui...

8.1CVSS5.8AI score0.00333EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/03/26 5:29 p.m.6 views

CVE-2026-33496 Ory Oathkeeper has an authentication bypass by cache key confusion

ORY Oathkeeper is an Identity & Access Proxy IAP and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to authentication bypass due to cache key confusion. The oauth2introspection authenticator cache does not distingui...

8.1CVSS6.4AI score0.00333EPSS
Exploits0References4
OSV
OSV
added 2026/03/20 8:51 p.m.7 views

GHSA-4MQ7-PVJG-XP2R Ory Oathkeeper has an authentication bypass by cache key confusion

Description Ory Oathkeeper is vulnerable to authentication bypass due to cache key confusion. The oauth2introspection authenticator cache does not distinguish tokens that were validated with different introspection URLs. An attacker can therefore legitimately use a token to prime the cache, and...

8.1CVSS5.8AI score0.00333EPSS
Exploits0References4
EUVD
EUVD
added 2025/10/07 12:30 a.m.7 views

EUVD-2021-1410

Malware in sbrugna...

7.5CVSS7.4AI score0.01298EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2021/06/23 6:0 p.m.44 views

Possible bypass of token claim validation when OAuth2 Introspection caching is enabled

Impact When you make a request to an endpoint that requires the scope foo using an access token granted with that foo scope, introspection will be valid and that token will be cached. The problem comes when a second requests to an endpoint that requires the scope bar is made before the cache has...

1AI score
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2021/06/22 7:45 p.m.35 views

CVE-2021-32701 Possible bypass of token claim validation when OAuth2 Introspection caching is enabled

ORY Oathkeeper is an Identity & Access Proxy IAP and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. When you make a request to an endpoint that requires the scope foo using an access token granted with that foo scope, introspection will be valid and that...

7.5CVSS7.7AI score0.01298EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2021/06/22 12:0 a.m.46 views

PT-2021-19867 · Ory · Ory Oathkeeper

Name of the Vulnerable Software and Affected Versions: ORY Oathkeeper versions prior to v0.38.12-beta.1 Description: The issue arises when a request is made to an endpoint requiring a specific scope, and the access token is granted with that scope, making introspection valid and caching the token...

7.5CVSS7AI score0.01298EPSS
Exploits0References12
Rows per page
Query Builder