Lucene search
+L
OryOathkeeper

4 matches found

CVE
CVE
added 2021/06/22 7:45 p.m.93 views

CVE-2021-32701

ORY Oathkeeper’s CVE-2021-32701 describes an issue in the oauth2_introspection cache where a second request for a different scope (bar) could be treated as valid even if the new scope wasn’t granted, due to the cache not validating scopes beyond expiration. The root cause is that tokenFromCache i...

7.5CVSS7.4AI score0.01298EPSS
CVE
CVE
added 2026/03/26 5:26 p.m.22 views

CVE-2026-33495

CVE-2026-33495 affects ORY Oathkeeper. Prior to version 26.2.0, Oathkeeper could incorrectly trust the X-Forwarded-* headers when evaluating access rules, due to the serve.proxy.trust_forwarded_headers setting being ignored. This could allow an attacker with distinct HTTP/HTTPS rules to trigger t...

6.5CVSS5.8AI score0.00233EPSS
CVE
CVE
added 2026/03/26 5:29 p.m.21 views

CVE-2026-33496

Overview: CVE-2026-33496 affects ORY Oathkeeper (Identity & Access Proxy) prior to version 26.2.0, where the oauth2_introspection authenticator cache fails to distinguish tokens across different introspection URLs, enabling authentication bypass via cache key confusion. Impact (as described): An ...

8.1CVSS5.8AI score0.00333EPSS
CVE
CVE
added 2026/03/26 5:23 p.m.19 views

CVE-2026-33494

ORY Oathkeeper (IAP/Access Control Decision API) versions before 26.2.0 are vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL with path traversal sequences (for example /public/../admin/secrets) that normalizes to a protected path but is evaluated against ...

10CVSS5.8AI score0.00519EPSS