Home / Vulnerability Intelligence / CVE-2026-33496

CVE-2026-33496 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: March 26, 2026

ORY Oathkeeper - Authentication Bypass

Published: March 26, 2026Updated: March 26, 2026Remote Exploitable

Overview

ORY Oathkeeper < 26.2.0 contains an authentication bypass caused by cache key confusion in oauth2_introspection authenticator, letting attackers with a valid token bypass authentication for different introspection servers, exploit requires multiple configured introspection servers and caching enabled.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 13.8%(Probability of exploitation in next 30 days)

Impact

Attackers with a valid token can bypass authentication for different introspection servers, potentially gaining unauthorized access.

Mitigation

Update to version 26.2.0 or later, or disable caching for oauth2_introspection authenticators.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 26, 2026

🟠 CVE-2026-33496 - High (8.1) ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to authentication bypass due to cache key confusion. The `oaut... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33496/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-33496
Severity: High
CVSS Score: 8.1
Type: broken_authentication
Status: new
EPSS: 13.8%
Social Posts: 1

CWE

CWE-305

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score

13.8%Probability of exploitation in the next 30 days