Description
ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to authentication bypass due to cache key confusion. The `oauth2_introspection` authenticator cache does not distinguish tokens that were validated with different introspection URLs. An attacker can therefore legitimately use a token to prime the cache, and subsequently use the same token for rules that use a different introspection server. Ory Oathkeeper has to be configured with multiple `oauth2_introspection` authenticator servers, each accepting different tokens. The authenticators also must be configured to use caching. An attacker has to have a way to gain a valid token for one of the configured introspection servers. Starting in version 26.2.0, Ory Oathkeeper includes the introspection server URL in the cache key, preventing confusion of tokens. Update to the patched version of Ory Oathkeeper. If that is not immediately possible, disable caching for `oauth2_introspection` authenticators.
Published: 2026-03-26
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass via Cache Key Confusion
Action: Immediate Patch
AI Analysis

Impact

Ory Oathkeeper, an Identity & Access Proxy, fails to incorporate the introspection server URL into the cache key for oauth2_introspection authenticators. This flaw lets an attacker inject a valid token from one introspection endpoint into the cache and then reuse that same token with a different introspection server, thereby bypassing authentication checks for protected resources. The vulnerability enables unauthorized access to any resources guarded by the affected Oathkeeper deployment, compromising confidentiality and integrity of the protected services. The flaw is quantified with a CVSS score of 8.1 and is linked to CWE-1289 and CWE-305.

Affected Systems

The issue affects the Ory Oathkeeper product, specifically any release prior to version 26.2.0 that configures multiple oauth2_introspection authenticators with caching enabled. System administrators using Oathkeeper versions before 26.2.0 should verify that caching is active for each authenticator and that the product is configured with distinct introspection URLs.

Risk and Exploitability

With a high severity CVSS score of 8.1 and an EPSS score below 1%, the risk level is significant yet the likelihood of widespread exploitation remains low according to current data. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a valid token for one introspection endpoint; an attacker then leverages cache key confusion to use the same token against another endpoint, making remote exploitation feasible through normal HTTP traffic to Oathkeeper. Due to the dependence on multiple authenticators and caching, defensive measures that disable caching or upgrade the software can effectively mitigate the threat.

Generated by OpenCVE AI on April 7, 2026 at 23:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Ory Oathkeeper to version 26.2.0 or newer.
  • If an update cannot be applied immediately, disable caching for all oauth2_introspection authenticators.

Generated by OpenCVE AI on April 7, 2026 at 23:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4mq7-pvjg-xp2r Ory Oathkeeper has an authentication bypass by cache key confusion
History

Tue, 07 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ory:oathkeeper:*:*:*:*:*:*:*:*

Mon, 30 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Ory
Ory oathkeeper
Vendors & Products Ory
Ory oathkeeper

Thu, 26 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to authentication bypass due to cache key confusion. The `oauth2_introspection` authenticator cache does not distinguish tokens that were validated with different introspection URLs. An attacker can therefore legitimately use a token to prime the cache, and subsequently use the same token for rules that use a different introspection server. Ory Oathkeeper has to be configured with multiple `oauth2_introspection` authenticator servers, each accepting different tokens. The authenticators also must be configured to use caching. An attacker has to have a way to gain a valid token for one of the configured introspection servers. Starting in version 26.2.0, Ory Oathkeeper includes the introspection server URL in the cache key, preventing confusion of tokens. Update to the patched version of Ory Oathkeeper. If that is not immediately possible, disable caching for `oauth2_introspection` authenticators.
Title Ory Oathkeeper has an authentication bypass by cache key confusion
Weaknesses CWE-1289
CWE-305
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Ory Oathkeeper
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T11:20:55.765Z

Reserved: 2026-03-20T16:59:08.887Z

Link: CVE-2026-33496

cve-icon Vulnrichment

Updated: 2026-03-30T11:19:31.962Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T18:16:30.730

Modified: 2026-04-07T21:15:26.460

Link: CVE-2026-33496

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:01:12Z

Weaknesses