Description
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions prior to 7.15.2 contain a configuration-dependent authentication bypass in deployments where OAuth2 Proxy is used with an auth_request-style integration (such as nginx auth_request) and either --ping-user-agent is set or --gcp-healthchecks is enabled. In affected configurations, OAuth2 Proxy treats any request with the configured health check User-Agent value as a successful health check regardless of the requested path, allowing an unauthenticated remote attacker to bypass authentication and access protected upstream resources. Deployments that do not use auth_request-style subrequests or that do not enable --ping-user-agent/--gcp-healthchecks are not affected. This issue is fixed in 7.15.2.
Published: 2026-04-14
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

OAuth2 Proxy versions before 7.15.2 allow a configuration-dependent authentication bypass when used in auth_request mode with either the --ping-user-agent or --gcp-healthchecks features enabled. The proxy treats any request bearing the specified health‑check User‑Agent string as a successful health check regardless of the requested path, effectively authenticating the client. An attacker who can send a request with that User‑Agent header to any upstream endpoint protected by the proxy can bypass authentication and obtain unauthorized access to the protected resource. The weakness is identified as CWE‑290 (Improper Restriction or Check for Validity of Authentication).

Affected Systems

The affected product is oauth2-proxy:oauth2-proxy. Deployments using a version earlier than 7.15.2 in an auth_request‑style configuration that enable the health‑check User‑Agent matching via --ping-user-agent or the GCP health‑check mode are impacted. Configurations that do not use auth_request sub‑requests or do not enable these flags remain unaffected.

Risk and Exploitability

The CVSS score of 9.1 indicates a critical level of risk, reflecting remote authentication bypass that could allow unrestricted access to protected services. While EPSS data is not available and the vulnerability is not listed in the KEV catalog, the lack of a current exploit report does not diminish the severity of the flaw, as the bypass can be invoked simply by sending an HTTP request with the matching User‑Agent header. The attack vector is network‑based and does not require privileged client access; the attacker just needs to craft an HTTP request with the specific User‑Agent string used in health checks.

Generated by OpenCVE AI on April 14, 2026 at 23:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OAuth2 Proxy to version 7.15.2 or later, where the health‑check bypass is resolved.
  • If a patch is not immediately available, remove the --ping-user-agent or --gcp-healthchecks flags from the OAuth2 Proxy configuration to disable health‑check User‑Agent matching.
  • Monitor incoming HTTP traffic for requests that contain the health‑check User‑Agent string and target protected resources, and alert on any such activity to detect exploitation attempts.

Generated by OpenCVE AI on April 14, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5hvv-m4w4-gf6v OAuth2 Proxy's Health Check User-Agent Matching Bypasses Authentication in auth_request Mode
History

Thu, 23 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:*:*:*:*:*:*:*:*

Wed, 15 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Oauth2 Proxy Project
Oauth2 Proxy Project oauth2 Proxy
Vendors & Products Oauth2 Proxy Project
Oauth2 Proxy Project oauth2 Proxy

Tue, 14 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions prior to 7.15.2 contain a configuration-dependent authentication bypass in deployments where OAuth2 Proxy is used with an auth_request-style integration (such as nginx auth_request) and either --ping-user-agent is set or --gcp-healthchecks is enabled. In affected configurations, OAuth2 Proxy treats any request with the configured health check User-Agent value as a successful health check regardless of the requested path, allowing an unauthenticated remote attacker to bypass authentication and access protected upstream resources. Deployments that do not use auth_request-style subrequests or that do not enable --ping-user-agent/--gcp-healthchecks are not affected. This issue is fixed in 7.15.2.
Title OAuth2 Proxy: Health Check User-Agent Matching Bypasses Authentication in auth_request Mode
Weaknesses CWE-290
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Oauth2 Proxy Project Oauth2 Proxy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T17:43:30.711Z

Reserved: 2026-03-27T18:18:14.895Z

Link: CVE-2026-34457

cve-icon Vulnrichment

Updated: 2026-04-15T17:43:27.058Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T23:16:28.330

Modified: 2026-04-23T14:14:48.253

Link: CVE-2026-34457

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:31:57Z

Weaknesses