OAuth2 Proxy authentication bypass, unauth (CVE-2026-34457)

Overview

A critical security vulnerability in OAuth2 Proxy allows attackers to bypass authentication entirely and gain unauthorized access to protected applications. The flaw, tracked as CVE-2026-34457, affects specific configurations of the popular reverse proxy and authentication provider.

Vulnerability Details

OAuth2 Proxy is used to secure applications by requiring users to authenticate via an OAuth2 provider like Google or GitHub before accessing a resource. In affected deployments, the proxy incorrectly handles health check requests. If the --ping-user-agent option is set or --gcp-healthchecks is enabled, and OAuth2 Proxy is integrated using an auth_request method (common with nginx), the proxy will treat any request with the configured health check User-Agent string as a successful authentication check. This occurs regardless of the URL path being requested.

An attacker can simply spoof this specific User-Agent string in their HTTP requests. The proxy will then grant the request access to the protected upstream application without requiring any login, token, or other credentials.

Impact

The impact is severe. A remote, unauthenticated attacker can directly access any resource behind the misconfigured OAuth2 Proxy. This could lead to data theft, unauthorized actions, or further compromise of internal systems, depending on the applications being protected. The vulnerability has a CVSS score of 9.1, reflecting its high severity due to the network-based attack vector and lack of required privileges or user interaction.

Affected Versions and Detection

This vulnerability affects OAuth2 Proxy versions prior to 7.15.2. Your deployment is only vulnerable if all of the following conditions are met:

1. OAuth2 Proxy is integrated using an auth_request-style subrequest (e.g., nginx’s auth_request directive).
2. The --ping-user-agent command-line flag is set or the --gcp-healthchecks flag is enabled.

Deployments using other integration methods (like the standard reverse proxy mode) or without these specific flags enabled are not affected.

Remediation and Mitigation

The primary and definitive remediation is to update OAuth2 Proxy to version 7.15.2 or later. This version contains the fix that ensures health check User-Agent matching is restricted to the actual health check endpoint paths.

Immediate Action:

1. Patch: Upgrade all instances of OAuth2 Proxy to version 7.15.2.
2. Verify Configuration: If immediate patching is not possible, review your configuration. Temporarily disabling the --ping-user-agent or --gcp-healthchecks options will mitigate the vulnerability but will also disable intended health check functionality.
3. Monitor: Review access logs for requests using the health check User-Agent string that are not directed to the expected health check endpoints.

For the latest cybersecurity news on emerging threats, visit our security news section.

Security Insight

This vulnerability highlights the inherent risk in overloading the semantics of a health check endpoint. Treating a health check as an authentication bypass vector is a recurring pattern, similar to past flaws in other proxies and API gateways. It underscores the necessity for security-focused code review of all request-handling logic, even for seemingly innocuous features like uptime monitoring, to ensure they cannot be repurposed for privilege escalation.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs