CVE-2026-33496
Published: 26 March 2026
Description
ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to authentication bypass due to cache key confusion. The `oauth2_introspection`…
more
authenticator cache does not distinguish tokens that were validated with different introspection URLs. An attacker can therefore legitimately use a token to prime the cache, and subsequently use the same token for rules that use a different introspection server. Ory Oathkeeper has to be configured with multiple `oauth2_introspection` authenticator servers, each accepting different tokens. The authenticators also must be configured to use caching. An attacker has to have a way to gain a valid token for one of the configured introspection servers. Starting in version 26.2.0, Ory Oathkeeper includes the introspection server URL in the cache key, preventing confusion of tokens. Update to the patched version of Ory Oathkeeper. If that is not immediately possible, disable caching for `oauth2_introspection` authenticators.
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of the cache key confusion flaw in ORY Oathkeeper's oauth2_introspection authenticator to prevent authentication bypass.
Mandates secure configuration settings, such as disabling caching for oauth2_introspection authenticators, as an interim mitigation against token cache confusion across different introspection URLs.
Requires management, selection, and monitoring of authorization servers used for OAuth2 token introspection, reducing risks from misconfigurations involving multiple servers with differing token acceptance.
Security SummaryAI
CVE-2026-33496 is an authentication bypass vulnerability in ORY Oathkeeper, an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on Access Rules. Versions prior to 26.2.0 are affected due to cache key confusion in the oauth2_introspection authenticator, which fails to distinguish tokens validated against different introspection URLs.
An attacker can exploit this vulnerability if Ory Oathkeeper is configured with multiple oauth2_introspection authenticator servers—each accepting different tokens—and caching is enabled for these authenticators. The attacker must first obtain a valid token for one of the configured introspection servers to prime the cache. They can then reuse the same token to authenticate against rules that rely on a different introspection server, bypassing authentication. This leads to high confidentiality and integrity impacts, with a CVSS score of 8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), associated with CWEs 305 and 1289.
The Ory Oathkeeper security advisory (GHSA-4mq7-pvjg-xp2r) and related commit recommend updating to version 26.2.0, which includes the introspection server URL in the cache key to prevent token confusion. As an interim mitigation, disable caching for oauth2_introspection authenticators.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass exploitable by low-privileged attackers over the network (PR:L/AV:N), enabling privilege escalation (T1068) and exploitation of the remote Oathkeeper service (T1210) to achieve high confidentiality/integrity impacts via cache confusion.