{"package":"github.com/ory/oathkeeper","ecosystem":"go","latest_version":"v0.40.9","description":"A cloud native Identity & Access Proxy / API (IAP) and Access Control Decision API that authenticates, authorizes, and mutates incoming HTTP(s) requests. Inspired by the BeyondCorp / Zero Trust white paper. Written in Go.","license":"Apache-2.0","license_risk":"permissive","commercial_use_notes":"Permissive: commercial closed-source use OK; preserve the copyright notice.","homepage":"https://pkg.go.dev/github.com/ory/oathkeeper","repository":"https://github.com/ory/oathkeeper","downloads_weekly":3552,"health":{"score":44,"risk":"high","breakdown":{"maintenance":5,"popularity":6,"security":8,"maturity":15,"community":10},"deprecated":false,"max_score":100},"vulnerabilities":{"count":6,"critical":1,"high":1,"medium":1,"low":3,"details":[{"vuln_id":"CVE-2026-33496","severity":"high","summary":"Ory Oathkeeper has an authentication bypass by cache key confusion","affected_versions":"<0.40.10-0.20260320084801-198a2bc82a99","fixed_version":"0.40.10-0.20260320084801-198a2bc82a99","source":"osv","published_at":"2026-03-20T20:51:07Z","in_kev":false,"epss_prob":0.00177,"epss_percentile":0.38887,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-33494","severity":"critical","summary":"Ory Oathkeeper has a path traversal authorization bypass","affected_versions":"<0.40.10-0.20260320084758-8e0002140491","fixed_version":"0.40.10-0.20260320084758-8e0002140491","source":"osv","published_at":"2026-03-20T20:51:24Z","in_kev":false,"epss_prob":0.00088,"epss_percentile":0.2489,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-33495","severity":"medium","summary":"Ory Oathkeeper has an authentication bypass by usage of untrusted header","affected_versions":"<0.40.10-0.20260320084810-e9acca14a04d","fixed_version":"0.40.10-0.20260320084810-e9acca14a04d","source":"osv","published_at":"2026-03-20T20:50:54Z","in_kev":false,"epss_prob":0.00047,"epss_percentile":0.1433,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-33496","severity":"unknown","summary":"Ory Oathkeeper has an authentication bypass by cache key confusion in github.com/ory/oathkeeper","affected_versions":"<0.40.10-0.20260320084801-198a2bc82a99","fixed_version":"0.40.10-0.20260320084801-198a2bc82a99","source":"osv","published_at":"2026-03-23T18:16:14Z","in_kev":false,"epss_prob":0.00177,"epss_percentile":0.38887,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-33494","severity":"unknown","summary":"Ory Oathkeeper has a path traversal authorization bypass in github.com/ory/oathkeeper","affected_versions":"<0.40.10-0.20260320084758-8e0002140491","fixed_version":"0.40.10-0.20260320084758-8e0002140491","source":"osv","published_at":"2026-03-23T18:16:18Z","in_kev":false,"epss_prob":0.00088,"epss_percentile":0.2489,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-33495","severity":"unknown","summary":"Ory Oathkeeper has an authentication bypass by usage of untrusted header in github.com/ory/oathkeeper","affected_versions":"<0.40.10-0.20260320084810-e9acca14a04d","fixed_version":"0.40.10-0.20260320084810-e9acca14a04d","source":"osv","published_at":"2026-03-23T18:16:18Z","in_kev":false,"epss_prob":0.00047,"epss_percentile":0.1433,"threat_tier":"theoretical"}],"actively_exploited_count":0,"likely_exploited_count":0},"versions":{"latest":"v0.40.9","total_count":123,"recent":["v0.36.0-beta.2","v0.39.3-pre.0","v0.19.3-beta.1","v0.0.22","v0.0.17","v0.16.0-beta.4","v0.39.4","v1.0.0-beta.5","v0.0.6","v0.0.7","v0.39.0","v0.17.4-beta.1","v0.0.11","v0.38.17-beta.1","v0.38.15-beta.1","v0.39.3","v0.16.0-beta.5","v0.38.14-beta.1","v0.38.0-beta.2","v0.38.9-beta.1.pre.1"]},"metadata":{"deprecated":false,"deprecated_message":null,"maintainers_count":125,"first_published":null,"last_published":"2025-01-30T10:09:47Z","dependencies_count":0,"dependencies":[]},"github_stats":{"stars":3552,"forks":406,"open_issues":97,"is_archived":false,"pushed_at":"2026-04-28T12:43:04Z","subscribers_count":47},"bundle":null,"typescript":null,"known_issues":{"bugs_count":0,"bugs_severity":{},"status_breakdown":{},"link":null,"scope":"none"},"historical_compromise":null,"recommendation":{"action":"do_not_use","issues":["1 high severity vulnerabilities","1 critical vulnerabilities"],"use_version":"v0.40.9","version_hint":"Update to >= 0.40.10-0.20260320084810-e9acca14a04d to fix known vulnerabilities","summary":"github.com/ory/oathkeeper has critical vulnerabilities — do not use"},"version_scoped":null,"requested_version":null,"_cache":"hit","_response_ms":0,"_powered_by":"depscope.dev — free package intelligence for AI agents","typosquat":{"is_suspected":false},"maintainer_trust":{"available":false},"malicious":{"is_malicious":false},"scorecard":{"available":false},"quality":{"available":false},"version_history_summary":{"total_versions":20,"first_release_age_days":null,"last_release_days_ago":454,"avg_days_between_releases":null,"release_velocity":"stale"}}