GHSA-QVP4-RPMR-XWRR

GHSA-QVP4-RPMR-XWRR is a high-severity incorrect authorization vulnerability in github.com/ory/oathkeeper (go), affecting versions >= 0.38.0-beta.2, <= 0.38.11-beta.1. It is fixed in 0.38.12-beta.1.

Summary

Workarounds

Per default, caching is disabled for the oauth2_introspection authenticator. When caching is disabled, this vulnerability does not exist.

Trace

The cache is checked in func (a *AuthenticatorOAuth2Introspection) Authenticate(...). From tokenFromCache() it seems that it only validates the token expiration date, but ignores whether the token has or not the proper scopes.

Post-Mortem

The vulnerability was introduced in PR #424. During review, we failed to require appropriate test coverage by the submitter which is the primary reason that the vulnerability passed the review process.

To avoid this from happening again we enabled codecov with a strict policy on the Ory Oathkeeper repository: Without an increase in code coverage the PR can not be merged.

To address this issue and any regressions we have added a test suite ensuring that the cache behaviour is correct in the different scenarios:

  • Scope strategy is none, cache is enabled, and requested_scope is not empty -> cache will not be used;
  • Scope strategy is none, cache is enabled, and requested_scope is empty -> cache will be used;
  • Scope strategy is not none, cache is enabled, and requested_scope is not empty -> cache will be used;

as well as validating if iss, aud, exp, token_use, and scope are validated.

Additionally, we added CodeQL scanning to the CI.

Impact

When you make a request to an endpoint that requires the scope foo using an access token granted with that foo scope, introspection will be valid and that token will be cached. The problem comes when a second requests to an endpoint that requires the scope bar is made before the cache has expired. Whether the token is granted or not to the bar scope, introspection will be valid.

The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions. Typical impact: unauthorized data access or execution of privileged operations.

GHSA-QVP4-RPMR-XWRR has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.38.12-beta.1); upgrading removes the vulnerable code path.

Affected versions

github.com/ory/oathkeeper (>= 0.38.0-beta.2, <= 0.38.11-beta.1)

Security releases

github.com/ory/oathkeeper → 0.38.12-beta.1 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

A patch will be released with v0.38.12-beta.1.

Frequently Asked Questions

  1. What is GHSA-QVP4-RPMR-XWRR? GHSA-QVP4-RPMR-XWRR is a high-severity incorrect authorization vulnerability in github.com/ory/oathkeeper (go), affecting versions >= 0.38.0-beta.2, <= 0.38.11-beta.1. It is fixed in 0.38.12-beta.1. The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions.
  2. How severe is GHSA-QVP4-RPMR-XWRR? GHSA-QVP4-RPMR-XWRR has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/ory/oathkeeper are affected by GHSA-QVP4-RPMR-XWRR? github.com/ory/oathkeeper (go) versions >= 0.38.0-beta.2, <= 0.38.11-beta.1 is affected.
  4. Is there a fix for GHSA-QVP4-RPMR-XWRR? Yes. GHSA-QVP4-RPMR-XWRR is fixed in 0.38.12-beta.1. Upgrade to this version or later.
  5. Is GHSA-QVP4-RPMR-XWRR exploitable, and should I be worried? Whether GHSA-QVP4-RPMR-XWRR is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-QVP4-RPMR-XWRR is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-QVP4-RPMR-XWRR? Upgrade github.com/ory/oathkeeper to 0.38.12-beta.1 or later.

Other vulnerabilities in github.com/ory/oathkeeper

CVE-2026-33494CVE-2026-33496CVE-2021-32701

Stop the waste.
Protect your environment with Kodem.