PT-2026-32955 · Go · Github.Com/Oauth2-Proxy/Oauth2-Proxy+1

Iamnoooob

·

Published

2026-04-14

·

Updated

2026-04-14

·

CVE-2026-34457

CVSS v3.1

9.1

Critical

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Impact

A configuration-dependent authentication bypass exists in OAuth2 Proxy.
Deployments are affected when all of the following are true:
  • OAuth2 Proxy is used with an auth request-style integration (for example, nginx auth request)
  • --ping-user-agent is set or --gcp-healthchecks is enabled
In affected configurations, OAuth2 Proxy will treat a request with the configured health check User-Agent value as a successful health check regardless of the requested path. This allows an unauthenticated remote attacker to bypass authentication and access protected upstream resources without completing the normal login flow.
This issue does not affect deployments that do not use auth request-style subrequests, or that do not enable --ping-user-agent/--gcp-healthchecks.

Patches

Users should upgrade to v7.15.2 or later once available. Deployments running versions prior to v7.15.2 should be considered affected if they use auth request-style authentication together with --ping-user-agent or --gcp-healthchecks.

Workarounds

Users can mitigate this issue by:
  • disabling --gcp-healthchecks
  • removing any configured --ping-user-agent
  • ensuring the reverse proxy does not forward client-controlled User-Agent headers to the OAuth2 Proxy auth subrequest
  • using path-based health checks only, on dedicated health check endpoints
Example nginx mitigation for the auth subrequest:
location = /oauth2/auth {
  internal;
  proxy pass http://127.0.0.1:4180;
  proxy pass request body off;
  proxy set header Content-Length "";
  proxy set header Host $host;
  # set to value that isn't the same as your configured PingUserAgent or GCPs "GoogleHC/1.0"
  proxy set header User-Agent "oauth2-proxy-auth-request";
}

Fix

Authentication Bypass by Spoofing

Weakness Enumeration

CWE-290

Related Identifiers

CVE-2026-34457
GHSA-5HVV-M4W4-GF6V

Affected Products

Github.Com/Oauth2-Proxy/Oauth2-Proxy
Github.Com/Oauth2-Proxy/Oauth2-Proxy/V7