3 matches found
CVE-2026-33495
CVE-2026-33495 affects ORY Oathkeeper. Prior to version 26.2.0, Oathkeeper could incorrectly trust the X-Forwarded-* headers when evaluating access rules, due to the serve.proxy.trust_forwarded_headers setting being ignored. This could allow an attacker with distinct HTTP/HTTPS rules to trigger t...
CVE-2026-33496
Overview: CVE-2026-33496 affects ORY Oathkeeper (Identity & Access Proxy) prior to version 26.2.0, where the oauth2_introspection authenticator cache fails to distinguish tokens across different introspection URLs, enabling authentication bypass via cache key confusion. Impact (as described): An ...
CVE-2026-33494
ORY Oathkeeper (IAP/Access Control Decision API) versions before 26.2.0 are vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL with path traversal sequences (for example /public/../admin/secrets) that normalizes to a protected path but is evaluated against ...