PT-2026-35186 · Go · Github.Com/Oauth2-Proxy/Oauth2-Proxy/V7
Published
2026-04-15
·
Updated
2026-04-15
CVSS v3.1
8.2
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
Impact
A configuration-dependent authentication bypass exists in OAuth2 Proxy.
Deployments are affected when all of the following are true:
- Use of
skip auth routesor the legacyskip auth regex* Use of patterns that can be widened by attacker-controlled suffixes, such as^/foo/.*/bar$causing potential exposure of/foo/secret* Protected upstream applications that interpret#as a fragment delimiter or otherwise route the request to the protected base path
In deployments that rely on these settings, an unauthenticated attacker can send a crafted request containing a number sign in the path, including the browser-safe encoded form
%23, so that OAuth2 Proxy matches a public allowlist rule while the backend serves a protected resource.Deployments that do not use these skip-auth options, or that only allow exact public paths with tightly scoped method and path rules, ARE NOT affected.
Patches
A fix has been implemented to normalize request paths more conservatively before skip-auth matching so fragment content does not influence allowlist decisions.
Released as part of
v7.15.2Workarounds
Users who cannot upgrade immediately can reduce exposure by tightening or removing
skip auth routes and skip auth regex rules, especially patterns that use broad wildcards across path segments.Recommended mitigations:
- Replace broad rules with exact, anchored public paths and explicit HTTP methods
- Reject requests whose path contains
%23or#at the ingress, load balancer, or WAF level - Avoid placing sensitive application paths behind broad
skip auth routesrules
Fix
Authentication Bypass Using an Alternate Path or Channel
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github.Com/Oauth2-Proxy/Oauth2-Proxy/V7