CVE-2026-33496: Ory Oathkeeper has an authentication bypass by cache key confusion

March 20, 2026 (updated March 27, 2026)

Ory Oathkeeper is vulnerable to authentication bypass due to cache key confusion. The oauth2_introspection authenticator cache does not distinguish tokens that were validated with different introspection URLs. An attacker can therefore legitimately use a token to prime the cache, and subsequently use the same token for rules that use a different introspection server.

References

github.com/advisories/GHSA-4mq7-pvjg-xp2r
github.com/ory/oathkeeper
github.com/ory/oathkeeper/commit/198a2bc82a99e0a77bd0ffe290cbdd5285a1b17c
github.com/ory/oathkeeper/security/advisories/GHSA-4mq7-pvjg-xp2r
nvd.nist.gov/vuln/detail/CVE-2026-33496

Code Behaviors & Features

Detect and mitigate CVE-2026-33496 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →