LeakyCreds
NewInstant webhook alerts now available — notified within seconds of any credential detection.Learn more →
Home / Vulnerability Intelligence / CVE-2026-33494

CVE-2026-33494 - Vulnerability Analysis

CriticalCVSS: 10.0

Last Updated: March 26, 2026

ORY Oathkeeper - Authorization Bypass

Published: March 26, 2026Updated: March 26, 2026Remote Exploitable

Overview

ORY Oathkeeper < 26.2.0 contains an authorization bypass caused by HTTP path traversal in URL path normalization, letting attackers bypass access control by crafting path traversal sequences, exploit requires crafted URL.

Severity & Score

Severity: Critical
CVSS Score: 10.0
EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Attackers can bypass authorization and access protected resources, potentially exposing sensitive data or functionality.

Mitigation

Upgrade to version 26.2.0 or later.

References

Social Media Activity(2 posts)

Offensive Sequence
Offensive Sequence
@offseq
Mar 26, 2026

CRITICAL: ory oathkeeper (<26.2.0) vulnerable to path traversal (CVE-2026-33494). Attackers can bypass authorization via crafted URLs. Upgrade to 26.2.0+ immediately. https://radar.offseq.com/threat/cve-2026-33494-cwe-23-relative-path-traversal-in-o-d845cb54 #OffSeq #CVE202633494 #infosec #vulnerability

View original post
Offensive Sequence
Offensive Sequence
@offseq
Mar 26, 2026

CRITICAL: ory oathkeeper (<26.2.0) vulnerable to path traversal (CVE-2026-33494). Attackers can bypass authorization via crafted URLs. Upgrade to 26.2.0+ immediately. https://radar.offseq.com/threat/cve-2026-33494-cwe-23-relative-path-traversal-in-o-d845cb54 #OffSeq #CVE202633494 #infosec #vulnerability

View original post

Related Resources

Details

CVE ID
CVE-2026-33494
Severity
Critical
CVSS Score
10.0
Type
broken_access_control
Status
new
EPSS
0.0%
Social Posts
2

CWE

  • CWE-23

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

EPSS Score

0.0%Probability of exploitation in the next 30 days