Is CVE-2026-33494 actively exploited?

CVE-2026-33494 has no public evidence of in-the-wild exploitation as of 2026-04-07.

What is the CVSS score for CVE-2026-33494?

CVE-2026-33494 has a CVSS score of 10 (CRITICAL severity). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N.

How do I patch CVE-2026-33494?

Patch guidance is available from ory security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2026-33494.

Fix CVE-2026-33494 - CRITICAL ory oathkeeper

Description

ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL containing path traversal sequences (e.g. `/public/../admin/secrets`) that resolves to a protected path after normalization, but is matched against a permissive rule because the raw, un-normalized path is used during rule evaluation. Version 26.2.0 contains a patch.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Attack Vector: network
Complexity: low
Privileges: none
User Action: none
Scope: changed
Confidentiality: high
Integrity: high
Availability: none
Weaknesses: CWE-23

Metadata

Primary Vendor: ORY
Published: 3/26/2026
Last Modified: 4/7/2026
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

ory : oathkeeper

Remediation Guidance

Executive Summary

Cite this page

CVE-2026-33494. CVEDatabase.com. Retrieved 1 May 2026. https://cvedatabase.com/cve/CVE-2026-33494

View on NIST NVD

CVE-2026-33494 vulnerability