ORY Oathkeeper is subject to a critical authorization bypass that allows unauthenticated attackers to access protected administrative endpoints by utilizing path traversal sequences in HTTP requests.

The vulnerability exists in the rule evaluation engine, which uses un-normalized HTTP paths to match access rules. An unauthenticated attacker can craft a URL containing traversal sequences (e.g., /public/../admin) that bypasses restrictive rules but resolves to protected paths after server-side normalization.

This flaw effectively nullifies the security posture of the Identity & Access Proxy, allowing unauthorized access to sensitive internal APIs and administrative secrets. Given the CVSS score of 10.0, the risk is maximum, as it enables complete bypass of the primary security gatekeeper for protected infrastructure.

Immediate Action: Upgrade ORY Oathkeeper to version 26.2.0 or later immediately to ensure that path normalization occurs prior to access rule evaluation.

Proactive Monitoring: Review access logs for requests containing dot-dot-slash (../) sequences targeted at known public or permissive endpoints.

Compensating Controls: Ensure that downstream services perform their own secondary authorization checks and utilize a WAF to block requests containing URL-encoded path traversal characters.

Public Exploit Available: false

As an Identity and Access Proxy, the failure of Oathkeeper to correctly normalize paths is a fundamental security failure. Organizations must prioritize this update to prevent unauthorized actors from reaching internal resources that rely on the proxy for protection.