CVE-2026-41059

Name of the Vulnerable Software and Affected Versions OAuth2 Proxy versions 7.5.0 through 7.15.1

Description A configuration-dependent authentication bypass exists when the software is deployed using skip auth routes or the legacy skip auth regex with patterns that can be widened by attacker-controlled suffixes. This occurs when protected upstream applications interpret the # character as a fragment delimiter or route the request to the protected base path. An unauthenticated attacker can send a crafted request containing a number sign in the path, including the browser-safe encoded form %23, allowing the request to match a public allowlist rule while the backend serves a protected resource.

Recommendations Update to version 7.15.2. Tighten or remove skip auth routes and skip auth regex rules, specifically patterns using broad wildcards across path segments. Replace broad rules with exact, anchored public paths and explicit HTTP methods. Reject requests containing %23 or # in the path at the ingress, load balancer, or WAF level. Avoid placing sensitive application paths behind broad skip auth routes rules.