Description
ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Ory Oathkeeper is often deployed behind other components like CDNs, WAFs, or reverse proxies. Depending on the setup, another component might forward the request to the Oathkeeper proxy with a different protocol (http vs. https) than the original request. In order to properly match the request against the configured rules, Oathkeeper considers the `X-Forwarded-Proto` header when evaluating rules. The configuration option `serve.proxy.trust_forwarded_headers` (defaults to false) governs whether this and other `X-Forwarded-*` headers should be trusted. Prior to version 26.2.0, Oathkeeper did not properly respect this configuration, and would always consider the `X-Forwarded-Proto` header. In order for an attacker to abuse this, an installation of Ory Oathkeeper needs to have distinct rules for HTTP and HTTPS requests. Also, the attacker needs to be able to trigger one but not the other rule. In this scenario, the attacker can send the same request but with the `X-Forwarded-Proto` header in order to trigger the other rule. We do not expect many configurations to meet these preconditions. Version 26.2.0 contains a patch. Ory Oathkeeper will correctly respect the `serve.proxy.trust_forwarded_headers` configuration going forward, thereby eliminating the attack scenario. We recommend upgrading to a fixed version even if the preconditions are not met. As an additional mitigation, it is generally recommended to drop any unexpected headers as early as possible when a request is handled, e.g. in the WAF.
Published: 2026-03-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Patch
AI Analysis

Impact

Ory Oathkeeper, an identity and access proxy, used to evaluate HTTP requests against configured access rules, failed to honor the serve.proxy.trust_forwarded_headers setting before version 26.2.0. As a result, it always considered the X-Forwarded-Proto header. An attacker who can supply this header and the application is configured with distinct rules for HTTP and HTTPS can trigger an alternative rule set that may grant unauthorized access. This is a privilege escalation type weakness (CWE‑862).

Affected Systems

All installations of Ory Oathkeeper running any version prior to 26.2.0 are affected, regardless of the underlying operating system. The issue exists if the application has separate access rules for http and https traffic and the X-Forwarded-Proto header is present in incoming requests.

Risk and Exploitability

The CVSS score of 6.5 reflects a moderate severity when the exploitation conditions are met. EPSS indicates that exploitation is expected to be rare (<1%). The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers would need the ability to send HTTP requests with arbitrary X-Forwarded-* headers to the Oathkeeper proxy, and the system must already contain divergent rule sets for different protocols. In most deployments the conditions for exploitation are unlikely, but in configurations that use protocol‑specific access rules the risk escalates to potential unauthorized access. The likely attack vector is network, with web traffic interception or injection at the proxy or CDN level.

Generated by OpenCVE AI on April 3, 2026 at 00:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ory Oathkeeper to version 26.2.0 or later.
  • Set serve.proxy.trust_forwarded_headers to true and avoid trusting X-Forwarded-* headers unless absolutely required.
  • Configure upstream WAF or reverse proxy to strip or reject unexpected X-Forwarded-* headers before reaching Oathkeeper.
  • Review access rule configuration to eliminate separate HTTP and HTTPS rules that could be exploited by header manipulation.

Generated by OpenCVE AI on April 3, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vhr5-ggp3-qq85 Ory Oathkeeper has an authentication bypass by usage of untrusted header
History

Thu, 02 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ory:oathkeeper:*:*:*:*:*:*:*:*

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Ory
Ory oathkeeper
Vendors & Products Ory
Ory oathkeeper

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Ory Oathkeeper is often deployed behind other components like CDNs, WAFs, or reverse proxies. Depending on the setup, another component might forward the request to the Oathkeeper proxy with a different protocol (http vs. https) than the original request. In order to properly match the request against the configured rules, Oathkeeper considers the `X-Forwarded-Proto` header when evaluating rules. The configuration option `serve.proxy.trust_forwarded_headers` (defaults to false) governs whether this and other `X-Forwarded-*` headers should be trusted. Prior to version 26.2.0, Oathkeeper did not properly respect this configuration, and would always consider the `X-Forwarded-Proto` header. In order for an attacker to abuse this, an installation of Ory Oathkeeper needs to have distinct rules for HTTP and HTTPS requests. Also, the attacker needs to be able to trigger one but not the other rule. In this scenario, the attacker can send the same request but with the `X-Forwarded-Proto` header in order to trigger the other rule. We do not expect many configurations to meet these preconditions. Version 26.2.0 contains a patch. Ory Oathkeeper will correctly respect the `serve.proxy.trust_forwarded_headers` configuration going forward, thereby eliminating the attack scenario. We recommend upgrading to a fixed version even if the preconditions are not met. As an additional mitigation, it is generally recommended to drop any unexpected headers as early as possible when a request is handled, e.g. in the WAF.
Title Ory Oathkeeper has an authentication bypass by usage of untrusted header
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Ory Oathkeeper
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T18:47:00.766Z

Reserved: 2026-03-20T16:59:08.887Z

Link: CVE-2026-33495

cve-icon Vulnrichment

Updated: 2026-03-26T18:46:55.795Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T18:16:30.560

Modified: 2026-04-02T21:01:07.793

Link: CVE-2026-33495

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:38:56Z

Weaknesses