CVE-2026-33494
ORY Oathkeeper (IAP/Access Control Decision API) versions before 26.2.0 are vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL with path traversal sequences (for example /public/../admin/secrets) that normalizes to a protected path but is evaluated against ...