What is CVE-2026-33494?

CVE-2026-33494 is a critical-severity vulnerability in Ory Oathkeeper, classified under Relative Path Traversal. CVSS score: 10.0/10. Published 2026-03-26.

How severe is CVE-2026-33494?

Critical severity. CVSS v3 base score is 10.0 out of 10.

Path Traversal in Ory Oathkeeper

CVE-2026-33494

ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to an authorization bypass via HTTP path traversal. An…

EPSS: 0.000 (10.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 10.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N.

Affected products

Ory Oathkeeper — versions < 26.2.0

Weakness classification (CWE)

CWE-23 — Relative Path Traversal

References

https://github.com/ory/oathkeeper/security/advisories/GHSA-p224-6x5r-fjpm (x_refsource_CONFIRM)
https://github.com/ory/oathkeeper/commit/8e0002140491c592db41fa141dc6ad68f417e2b2 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-33494?: CVE-2026-33494 is a critical-severity vulnerability in Ory Oathkeeper, classified under Relative Path Traversal. CVSS score: 10.0/10. Published 2026-03-26.
How severe is CVE-2026-33494?: Critical severity. CVSS v3 base score is 10.0 out of 10.