March 26, 2026 vulnerability digest: ORY Oathkeeper triple auth bypass scores CVSS 10.0

One hundred ninety-two new vulnerabilities were published on March 26, 2026, with 86 meeting relevance criteria. The headline is a triple authentication bypass in ORY Oathkeeper, the open-source identity proxy used in zero-trust architectures. Squid proxy received three ICP-related fixes in version 7.5, and a 12-year-old Perl RCE finally got a CVE number.

ORY Oathkeeper is an open-source Identity and Access Proxy with 7,100+ GitHub stars. Three vulnerabilities affect all versions before 0.40.10.

CVE-2026-33494 (CVSS 10.0) is a path traversal that bypasses authorization entirely. An attacker crafts a URL with sequences like /public/../admin/secrets that resolves to a protected endpoint after normalization. Oathkeeper evaluates the raw, un-normalized path during rule matching and applies the permissive rule instead.

No credentials are required. The result is direct access to any API endpoint behind Oathkeeper.

CVE-2026-33495 (CVSS 6.5) affects rule matching via the X-Forwarded-Proto header. Oathkeeper always trusts this header even when serve.proxy.trust_forwarded_headers is set to false. An attacker behind a CDN or reverse proxy can force protocol mismatch (http vs https) to hit a different rule than intended.

CVE-2026-33496 (CVSS 8.1) exploits cache key confusion in the oauth2_introspection authenticator. The cache does not distinguish between tokens validated with different introspection URLs. An attacker can prime the cache with a legitimate token and reuse it for rules that rely on a different introspection server.

The CVSS 10.0 path traversal alone justifies an emergency upgrade. An unauthenticated attacker reaches any protected endpoint with a single crafted URL. The cache confusion bug (CVSS 8.1) adds token reuse across introspection servers. The header issue (CVSS 6.5) is lower severity but widens the attack surface in proxy-chain deployments. Any organization using Oathkeeper as the sole access control layer for internal APIs should treat CVE-2026-33494 as a critical incident.

All three are fixed in version 0.40.10-0.20260320084758-8e0002140491. Teams running Oathkeeper should upgrade immediately and audit access logs for path traversal patterns (../) in request URLs.

Squid proxy version 7.5 fixes three vulnerabilities in the ICP (Internet Cache Protocol) handler. CVE-2026-33526 (CVSS 9.2) is a heap use-after-free that enables reliable remote denial of service. CVE-2026-32748 (CVSS 8.7) combines premature resource release with heap use-after-free for the same impact.

CVE-2026-33515 (CVSS 6.9) is an out-of-bounds read in ICP handling. A remote attacker can receive small amounts of memory through error responses to invalid ICP requests.

All three require ICP support to be explicitly enabled (non-zero icp_port in configuration). Default Squid configurations are not affected. The advisories warn that icp_access ACL rules do not mitigate these bugs because the vulnerability triggers before access control is evaluated.

Squid has a documented history of memory safety issues. In October 2025, CVE-2025-54574 and CVE-2025-62168 disclosed a heap buffer overflow in URN handling (CVSS 9.3). A 2023 security audit by researcher Joshua Rogers identified 55 vulnerabilities including 35 zero-days.

ICP is a legacy inter-cache protocol. Disabling it (icp_port 0) eliminates the attack surface for all three bugs.

CVE-2014-125112 (CVSS 9.8) affects Plack::Middleware::Session::Cookie before version 0.21 for Perl. The vulnerability allows remote code execution. It was assigned a 2014-era CVE identifier but published only on March 26, 2026.

Plack is the Perl equivalent of Python's WSGI or Ruby's Rack. Plack::Middleware::Session::Cookie handles session management for Perl web applications. The 12-year gap between the vulnerability and its CVE assignment means affected deployments have been silently exploitable since 2014. Perl web applications persist in legacy enterprise environments and government systems.

Four WordPress plugin vulnerabilities were published. CVE-2026-4484 (CVSS 9.8) is a privilege escalation in the Masteriyo LMS plugin affecting all versions up to 2.1.6. WordPress LMS plugins have been a recurring target. LearnPress, Tutor LMS, and LearnDash have all had critical vulnerabilities in recent years.

CVE-2026-4758 (CVSS 8.8) allows arbitrary file deletion in the WP Job Portal plugin. Deleting wp-config.php triggers the WordPress installer and gives the attacker full control.

CVE-2026-3328 (CVSS 7.2) is a PHP object injection in Frontend Admin by DynamiApps. CVE-2026-2511 (CVSS 7.5) is an SQL injection in JS Help Desk.

Three additional vulnerabilities stand out from the remaining 86. CVE-2026-4809 (CVSS 9.3) affects plank/laravel-mediable before 6.4.0 and allows RCE via dangerous file type upload. CVE-2026-33152 (CVSS 9.1) targets Tandoor Recipes, a Django-based self-hosted recipe app popular among privacy-conscious users. CVE-2026-33942 (CVSS 8.1) is an RCE in the Saloon PHP library for API integrations.

The Oathkeeper CVSS 10.0 is the headline, but the Squid ICP cluster matters more for operational teams. Most Squid administrators inherited their configurations and may not know whether ICP is enabled. Check icp_port in squid.conf. If ICP is not needed, set it to zero. The icp_access ACL does not help because the vulnerability triggers before access control runs.

Oathkeeper users should upgrade to version 0.40.10 and audit request logs for ../ patterns. Squid administrators running ICP should upgrade to 7.5 or set icp_port 0. WordPress sites using Masteriyo LMS should update to 2.1.7 or remove the plugin. The March 25 digest covered Apple's 21 CVEs and Cisco's semiannual IOS XE bundle.