Skip to main content
Edition No. 1

The Git Gazette

Your weekly repo roundup

·ory/oathkeeper·Last 7 days

A cloud native Identity & Access Proxy / API (IAP) and Access Control Decision API that authenticates, authorizes, and mutates incoming HTTP(s) requests. Inspired by the BeyondCorp / Zero Trust white paper. Written in Go.

14 commits1 PRs3 issues5 releases
Security Status
🟡

5 advisory recently patched.

See Patch Wiresec's report below for details.

Last checked: Mar 23, 2026

Patch Wiresec — info status
summarize

Critical Security Update Ships While Community Issues Pile Up

Here's what matters this week: 1 critical security release, 3 CVEs patched, and a growing backlog of silent bug reports.

THE CRITICAL STUFF: v26.2.0 dropped March 21st with three simultaneous CVE fixes. CVE-2026-33494 was CRITICAL — a path traversal auth bypass affecting all versions before v26.2.0. If you're running Oathkeeper in production, stop reading and update now. CVE-2026-33496 (HIGH) and CVE-2026-33495 (MEDIUM) rounded out the security triple-threat with cache confusion and header injection bypasses respectively.

THE COMMUNITY FIX: @LennartKoot identified (#1264) and fixed (#1265) the Decision API dropping query strings from X-Forwarded-Uri headers. Clean work that preserves URL integrity.

THE SILENCE PROBLEM: Two open bugs (#1266, #1264) sit with zero community engagement. @xqqp's trailing slash bug and @LennartKoot's query string issue need attention. Meanwhile, issue #1154 got the "stale" treatment despite @qdrddr's requests to keep it alive.

Bottom line: Security patches deployed fast and clean, but the community's radio silence on bugs is concerning. Update to v26.2.0 immediately, then maybe show some love to those unattended issues.

Worth watching: Whether the maintainers will engage with the silent bug reports or if they'll join the growing ghost issue collection.

Sources: #1266, #1264, #1154, #1265
Tone:
1 tone change remaining
shield
The Security WireBy Patch Wiresec

Triple Threat Neutralized: Oathkeeper Patches Critical Path Traversal and Auth Bypass Vulnerabilities

We had a situation that's now been contained. On March 20th, the Ory Oathkeeper team dropped three CVEs simultaneously — and when I say dropped, I mean they detonated like coordinated flash-bangs in the Identity & Access Proxy landscape.

CVE-2026-33494 was the big gun — a CRITICAL path traversal authorization bypass affecting every version before v26.2.0. This is the kind of vulnerability that keeps infrastructure teams awake at night. Path traversal in an IAP means attackers could potentially bypass access controls entirely, which defeats the entire purpose of having an access proxy in the first place. 🚨🚨🚨🚨🚨

CVE-2026-33496 followed with a HIGH-severity authentication bypass via cache key confusion. Cache confusion attacks are particularly nasty because they exploit the performance optimizations that make modern systems usable — turning speed into a security liability.

CVE-2026-33495 rounded out the triple-header with a MEDIUM-severity auth bypass through untrusted headers. While less severe, header injection vulnerabilities in auth systems are nothing to ignore.

Here's the good news: all three vulnerabilities were patched simultaneously in v26.2.0, released the same day as disclosure. This is textbook responsible disclosure and rapid response from the Ory team.

IMMEDIATE ACTION REQUIRED: If you're running Oathkeeper in production, update to v26.2.0 immediately. This isn't a "get to it when convenient" situation — you're running an identity proxy with known critical bypasses.

Patch Wiresec signing off — nice work on the coordinated fix, Ory team.

Sources: CVE-2026-33494, CVE-2026-33496, CVE-2026-33495, GHSA-p224-6x5r-fjpm, GHSA-4mq7-pvjg-xp2r, GHSA-vhr5-ggp3-qq85
Tone:
1 tone change remaining
theater_comedy
The Drama DeskBy Rita Conflictsón

Ghost Issues and Silent Bugs: When the Community Goes Quiet

DEVELOPING: The usually bustling halls of ory/oathkeeper have gone eerily quiet this week, but don't mistake silence for peace, dear readers. Sometimes the most telling drama is what's NOT being said.

Witness exhibit A: Issue #1266, where @xqqp discovered that Oathkeeper 26.2 is playing fast and loose with trailing slashes — stripping them like a overzealous bouncer. Zero comments. Zero reactions. The digital equivalent of crickets chirping. But here's the kicker: this is a bug label, folks. Silence on a bug report? That's not indifference, that's the calm before the storm.

Meanwhile, #1264 presents us with a query string catastrophe courtesy of @LennartKoot. The Decision API is apparently treating query parameters like unwanted party guests, showing them the door via X-Forwarded-Uri. Again, zero engagement. Are we witnessing a community in hibernation or just the eye of a technical hurricane?

But wait — there's a ghost haunting these proceedings! Issue #1154 managed to accumulate 4 whole comments before being marked 'stale' and closed. @qdrddr's desperate pleas of "Hope it'll not be closed" and "Hope it's not forgotten" echo like cries in the digital wilderness.

Sometimes the biggest drama is the sound of issues falling in an empty forest. Will anyone hear them?

Sources: #1266, #1264, #1154
Tone:
1 tone change remaining
rate_review

A Subtle Restoration: When URLs Lose Their Tails

In the rarified world of reverse proxy artisanship, one observes that the most profound contributions often emerge from the most seemingly modest defects. Such is the case with PR #1265, where @LennartKoot has undertaken what can only be described as a delicate restoration of URL integrity—specifically addressing the rather unfortunate tendency of query strings to vanish like morning dew when passing through Oathkeeper's decision handler.

The artist's statement, though regrettably truncated mid-sentence (one suspects the GitHub form committed its own act of premature truncation), speaks to a fundamental concern: the preservation of the X-Forwarded-Uri's complete essence, query parameters intact. This is not merely a bug fix—it is an act of digital archaeology, ensuring that no precious fragment of the original request's intent is lost in translation.

What strikes this critic as particularly noteworthy is the understated nature of the contribution. No fanfare, no elaborate documentation—simply the quiet recognition that URLs arriving with ?param=value should depart with their tails still wagging, as it were. In an era of sweeping refactors and architectural upheavals, there is something refreshingly honest about code that simply endeavors to do what it promises.

The work awaits the discerning eye of the maintainers, but one suspects they will find it most satisfactory indeed.

Sources: #1265
Tone:
1 tone change remaining
sailing
The Shipping ForecastBy Captain Semver

Major Storm System Makes Landfall: v26.2.0 Charts Safer Waters

SHIPPING FORECAST, issued Tuesday 0800 UTC: A significant weather system has cleared the harbor — Oathkeeper v26.2.0 dropped anchor on March 21st with critical security repairs and navigation improvements aboard.

Storm Damage Report: The fleet's been taking on water from a critical CVE (GHSA-p77j-4mvh-x3m3), with @adamwalach leading emergency repairs. Meanwhile, @zepatrik has been reinforcing the hull with path traversal protections and proper handling of X-Forwarded-* headers — essential work to prevent hostile vessels from manipulating our navigation instruments.

Harbor Master's Log: This follows the massive fleet reorganization of v25.4.0, where Ory abandoned their traditional versioning charts for new navigation standards. The old v0.40.x series reached its final port call at v0.40.9 in January, addressing memory leaks in the id_token mutator cache (#1209).

Current Conditions: Light maintenance winds continue with @ory-bot handling routine documentation updates. The @hperl and @gaultier crews are reinforcing vulnerable dependencies and modernizing timeout handling with proper cause tracking.

Navigation Warning: All vessels should review the new release notes carefully — this isn't just routine maintenance but critical security patches that could prevent your ship from running aground on malicious shoals.

Forecast: Seas remain active with steady security-focused development. Captains are advised to update immediately.

Sources: GHSA-p77j-4mvh-x3m3, #1209
Tone:
1 tone change remaining
group
Community PulseBy Flo Stargazer

Security Spring Cleaning Brings Community Together

What a busy week in Oathkeeper-land! The community rallied around some critical security fixes, and I'm loving the collaborative energy I'm seeing.

Our veteran contributors really stepped up this week. @adamwalach jumped in with a crucial CVE fix (GHSA-p77j-4mvh-x3m3), while @hperl tackled vulnerable dependencies across both Go and npm. Meanwhile, @zepatrik has been on a security tear with multiple fixes around header handling and path traversal prevention — that's the kind of proactive maintenance work that keeps our IAP rock-solid.

@aeneasr continues to be our infrastructure hero, updating to dockertest v4 and adding docker driver support for CVE scanning. And shoutout to @vinckr for keeping our contributor docs fresh!

I spotted some interesting activity from faces I haven't seen in a while: @gaultier contributed context cancellation improvements, @DavudSafarli enhanced keysetpagination, and @deepakprabhakara updated minimatch dependencies. It's wonderful seeing both familiar names and returning contributors pitching in.

With 18 unique actors this week and solid commit activity, our community health is looking strong. The mix of security fixes, infrastructure improvements, and maintenance work shows a mature project with engaged stewardship. Plus, 10 new stargazers joined us — welcome to the Zero Trust family!

Keep those contributions flowing, everyone. Security-focused weeks like this really showcase what makes open source communities shine.

Tone:
1 tone change remaining
Git Gazette: ory/oathkeeper — March 23, 2026 | The Git Gazette