Skip to main content

Changelog for Ory Oathkeeper OEL

26.2.6

This version contains only minor changes and improvements such as dependency updates.

v26.2.5

Fix shared mutable state in error handling

Error globals such as herodot.ErrNotFound were package-level variables shared across all requests. Calling methods like WithReason or WithDetail mutated these variables in place and returned the same pointer, so any request that added context to an error — reason text, details, etc, modified the global. The next request to reach an error path using the same error inherited those stale details.

As a consequence, observability (logs, traces) for requests resulting in an error suffered from the same issue: some errors were reported with details belonging to an unrelated request, or with fields missing that should have been present.

The new API creates a fresh error instance on each call, so each request gets its own copy.

The following values were at risk of leaking into unrelated error responses:

  • HTTP cookie names (Kratos CSRF flow)
  • Entity UUIDs (identity, organization, etc)
  • OAuth2 error hints (Hydra and Kratos Hydra bridge)
  • OIDC provider URLs and raw upstream error responses (Kratos OIDC strategy)
  • External schema fetch URLs and HTTP status codes (Kratos schema handler)
  • JWT claims and issuers (Oathkeeper JWT authenticator)

No data was written to persistent storage or transmitted outside the error response. Any two requests hitting the same error path on the same node — even back-to-back with no concurrency — could exchange error details.

Under concurrent load, the shared writes also constitute a true data race, which can additionally produce errors in an inconsistent or partially written state.

This change has no externally observable effect other than fixing the information leak in error paths.

v26.2.4

Migrate Helm chart repository URL from k8s.ory.sh to k8s.ory.com

The Helm chart repository URL has been updated from k8s.ory.sh to k8s.ory.com. The old URL will continue to work with redirects for a limited time. Update your Helm repository configuration to use the new URL.

26.2.3

This version contains only minor changes and improvements such as dependency updates.

26.2.2

This version contains only minor changes and improvements such as dependency updates.

26.2.1

This version contains only minor changes and improvements such as dependency updates.

v26.2.0

Improved handling of forwarded headers

This release includes improvements to the handling of forwarded headers in Ory Oathkeeper. The change ensures that when the configuration serve.proxy.trust_forwarded_headers is disabled, all X-Forwarded* and the standard Forwarded headers are removed before processing and forwarding the request. Previously, only the X-Forwarded, X-Forwarded-Host, and X-Forwarded-Proto headers were removed. If the downstream service relies on any of the X-Forwarded* headers, it is recommended to enable the serve.proxy.trust_forwarded_headers configuration option to ensure proper handling of forwarded headers.

26.1.18

This version contains only minor changes and improvements such as dependency updates.

26.1.17

This version contains only minor changes and improvements such as dependency updates.

v26.1.16

Pass through HTTP 429 rate-limit errors with upstream headers

Oathkeeper now propagates rate-limit headers (Retry-After, X-Rate-Limit-, RateLimit-) from upstream services when returning HTTP 429 responses. Previously, rate-limit errors lost their headers during error handling, preventing clients from knowing when to retry. This fix also resolves a potential data race caused by mutating shared error sentinel values.

26.1.15

This version contains only minor changes and improvements such as dependency updates.

26.1.14

This version contains only minor changes and improvements such as dependency updates.

26.1.13

This version contains only minor changes and improvements such as dependency updates.

26.1.12

This version contains only minor changes and improvements such as dependency updates.

26.1.11

This version contains only minor changes and improvements such as dependency updates.

26.1.10

This version contains only minor changes and improvements such as dependency updates.

26.1.9

This version contains only minor changes and improvements such as dependency updates.

26.1.8

This version contains only minor changes and improvements such as dependency updates.

26.1.7

This version contains only minor changes and improvements such as dependency updates.

26.1.6

This version contains only minor changes and improvements such as dependency updates.

26.1.5

This version contains only minor changes and improvements such as dependency updates.

26.1.4

This version contains only minor changes and improvements such as dependency updates.

26.1.3

This version contains only minor changes and improvements such as dependency updates.

26.1.2

This version contains only minor changes and improvements such as dependency updates.

26.1.1

This version contains only minor changes and improvements such as dependency updates.

26.1.0

This version contains only minor changes and improvements such as dependency updates.

25.4.12

This version contains only minor changes and improvements such as dependency updates.

25.4.11

This version contains only minor changes and improvements such as dependency updates.

25.4.10

This version contains only minor changes and improvements such as dependency updates.

25.4.9

This version contains only minor changes and improvements such as dependency updates.

25.4.8

This version contains only minor changes and improvements such as dependency updates.

25.4.7

This version contains only minor changes and improvements such as dependency updates.

25.4.6

This version contains only minor changes and improvements such as dependency updates.

25.4.5

This version contains only minor changes and improvements such as dependency updates.

25.4.4

This version contains only minor changes and improvements such as dependency updates.

25.4.3

This version contains only minor changes and improvements such as dependency updates.

25.4.2

This version contains only minor changes and improvements such as dependency updates.

25.4.1

This version contains only minor changes and improvements such as dependency updates.

25.4.0

This version contains only minor changes and improvements such as dependency updates.

25.3.9

This version contains only minor changes and improvements such as dependency updates.

25.3.8

This version contains only minor changes and improvements such as dependency updates.

25.3.7

This version contains only minor changes and improvements such as dependency updates.

25.3.6

This version contains only minor changes and improvements such as dependency updates.

v25.3.5

Change of base image

The base image for OEL images is now set to "gcr.io/distroless/static-debian12:nonroot". Previously, it was "gcr.io/distroless/static-debian12:debug-nonroot", which included BusyBox (a minimal shell and basic debugging utilities). Debug images are still available using the "-debug" tag suffix.

25.3.4

This version contains only minor changes and improvements such as dependency updates.

25.3.3

This version contains only minor changes and improvements such as dependency updates.

2025-05-08

Initial Ory Oathkeeper OEL release

Changes:

  • fix security vulnerability classified as critical CVE-2025-22871
  • fix security vulnerability classified as high CVE-2025-30204 (GHSA-mh63-6h87-95cp)

No specific upgrade steps are required for this release. The Ory Kratos OEL image is now available in the Ory Enterprise Docker Registry.

Ory Network

The largest Identity and Access Management network in the world. So you can get back to building your business.

Sign up for free