Is github.com/ory/oathkeeper affected by CVE-2026-33494?

Go github.com/ory/oathkeeper is affected in <0.40.10-0.20260320084758-8e0002140491.

Is CVE-2026-33494 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.5%.

medium

CVE-2026-33494

Q: Is CVE-2026-33494 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.5%.

Go · github.com/ory/oathkeeper

Summary

Ory Oathkeeper has a path traversal authorization bypass in github.com/ory/oathkeeper

Severity: medium
EPSS: 0.5% (p40)
Also known as: GHSA-p224-6x5r-fjpm, GO-2026-4804
Published: 2026-03-23

References

https://github.com/ory/oathkeeper/security/advisories/GHSA-p224-6x5r-fjpm
https://github.com/ory/oathkeeper/commit/8e0002140491c592db41fa141dc6ad68f417e2b2

Related advisories

CVE-2026-33495 — medium · Go/github.com/ory/oathkeeper
CVE-2026-33496 — medium · Go/github.com/ory/oathkeeper

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.