NIXPKGS-2026-0791

GitHub issue published on 27 Mar 2026

Permalink CVE-2026-33494

10.0 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

updated 1 day ago by @LeSuisse Activity log

Created automatic suggestion 1 day, 8 hours ago
@LeSuisse accepted 1 day ago
@LeSuisse published on GitHub 1 day ago

Ory Oathkeeper has a path traversal authorization bypass

ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL containing path traversal sequences (e.g. `/public/../admin/secrets`) that resolves to a protected path after normalization, but is matched against a permissive rule because the raw, un-normalized path is used during rule evaluation. Version 26.2.0 contains a patch.

References

https://github.com/ory/oathkeeper/security/advisories/GHSA-p224-6x5r-fjpm x_refsource_CONFIRM
https://github.com/ory/oathkeeper/commit/8e0002140491c592db41fa141dc6ad68f417e2b2 x_refsource_MISC

Affected products

oathkeeper

==< 26.2.0

Matching in nixpkgs

pkgs.oathkeeper

Open-source identity and access proxy that authorizes HTTP requests based on sets of rules

nixos-unstable 26.2.0
- nixpkgs-unstable 26.2.0
- nixos-unstable-small 26.2.0
nixos-25.11 0.40.9
- nixos-25.11-small 0.40.9
- nixpkgs-25.11-darwin 0.40.9

Package maintainers

@camcalaquian Carl Calaquian <camcalaquian@gmail.com>

Upstream advisory: https://github.com/ory/oathkeeper/security/advisories/GHSA-p224-6x5r-fjpm
Upstream patch: https://github.com/ory/oathkeeper/commit/8e0002140491c592db41fa141dc6ad68f417e2b2

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0791

References

Affected products

Matching in nixpkgs

pkgs.oathkeeper

Package maintainers