Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0791

NIXPKGS-2026-0791
published 2 months, 4 weeks ago
Permalink CVE-2026-33494
10.0 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago
Ory Oathkeeper has a path traversal authorization bypass

ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL containing path traversal sequences (e.g. `/public/../admin/secrets`) that resolves to a protected path after normalization, but is matched against a permissive rule because the raw, un-normalized path is used during rule evaluation. Version 26.2.0 contains a patch.

Affected products

oathkeeper
  • ==< 26.2.0

Matching in nixpkgs

pkgs.oathkeeper

Open-source identity and access proxy that authorizes HTTP requests based on sets of rules

Package maintainers

Upstream advisory: https://github.com/ory/oathkeeper/security/advisories/GHSA-p224-6x5r-fjpm
Upstream patch: https://github.com/ory/oathkeeper/commit/8e0002140491c592db41fa141dc6ad68f417e2b2