ORY Oathkeeper Authentication Bypass Vulnerability via Cache Key Confusion

A vulnerability allowing authentication bypass has been identified in ORY Oathkeeper versions prior to 26.2.0. This issue arises from the 'oauth2_introspection' authenticator cache, which fails to differentiate tokens validated with different introspection URLs. As a result, an attacker can use a token to prime the cache and then apply the same token to rules associated with a different introspection server. Exploitation requires the Oathkeeper to be configured with multiple 'oauth2_introspection' authenticator servers, each accepting different tokens, and for the authenticators to have caching enabled. Additionally, the attacker must obtain a valid token for one of the configured introspection servers.

Impact

Successful exploitation allows an attacker to bypass authentication by manipulating the token cache, potentially gaining unauthorized access to resources or actions governed by the affected access rules.

Reproduction

To reproduce this vulnerability, configure ORY Oathkeeper with multiple 'oauth2_introspection' authenticator servers that accept different tokens. Ensure that caching is enabled for the authenticators. Obtain a valid token for one of the introspection servers and use it to prime the cache. Then, apply the same token to access rules that rely on a different introspection server, taking advantage of the cache key confusion to bypass authentication.

Remediation

Update ORY Oathkeeper to version 26.2.0 or later, where this vulnerability has been patched. If an immediate update is not possible, disable caching for 'oauth2_introspection' authenticators.