What is CVE-2026-33496?

CVE-2026-33496 is a high-severity vulnerability in Ory Oathkeeper, classified under CWE-1289. CVSS score: 8.1/10. Published 2026-03-26.

How severe is CVE-2026-33496?

High severity. CVSS v3 base score is 8.1 out of 10.

Vulnerability in Ory Oathkeeper

CVE-2026-33496

ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to authentication bypass due to cache key confusion. T…

EPSS: 0.001 (22.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.1 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N.

Affected products

Ory Oathkeeper — versions < 26.2.0

Weakness classification (CWE)

References

https://github.com/ory/oathkeeper/security/advisories/GHSA-4mq7-pvjg-xp2r (x_refsource_CONFIRM)
https://github.com/ory/oathkeeper/commit/198a2bc82a99e0a77bd0ffe290cbdd5285a1b17c (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-33496?: CVE-2026-33496 is a high-severity vulnerability in Ory Oathkeeper, classified under CWE-1289. CVSS score: 8.1/10. Published 2026-03-26.
How severe is CVE-2026-33496?: High severity. CVSS v3 base score is 8.1 out of 10.