OAuth2 Proxy authentication bypass, unauth (CVE-2026-34457)

Patch now - CVE-2026-34457 is a critical authentication bypass in OAuth2 Proxy versions prior to 7.15.2 that grants a remote unauthenticated attacker direct access to all protected applications by spoofing a health check User-Agent. Update to version 7.15.2 immediately to block this exploit.

Overview

A critical security vulnerability in OAuth2 Proxy allows attackers to bypass authentication entirely and gain unauthorized access to protected applications. The flaw, tracked as CVE-2026-34457, affects specific configurations of the popular reverse proxy and authentication provider.

Vulnerability Details

OAuth2 Proxy is used to secure applications by requiring users to authenticate via an OAuth2 provider like Google or GitHub before accessing a resource. In affected deployments, the proxy incorrectly handles health check requests. If the --ping-user-agent option is set or --gcp-healthchecks is enabled, and OAuth2 Proxy is integrated using an auth_request method (common with nginx), the proxy will treat any request with the configured health check User-Agent string as a successful authentication check. This occurs regardless of the URL path being requested.

An attacker can simply spoof this specific User-Agent string in their HTTP requests. The proxy will then grant the request access to the protected upstream application without requiring any login, token, or other credentials.

Impact

The impact is severe. A remote, unauthenticated attacker can directly access any resource behind the misconfigured OAuth2 Proxy. This could lead to data theft, unauthorized actions, or further compromise of internal systems, depending on the applications being protected. The vulnerability has a CVSS score of 9.1, reflecting its high severity due to the network-based attack vector and lack of required privileges or user interaction.

Affected Versions and Detection

This vulnerability affects OAuth2 Proxy versions prior to 7.15.2. Your deployment is only vulnerable if all of the following conditions are met:

1. OAuth2 Proxy is integrated using an auth_request-style subrequest (e.g., nginx’s auth_request directive).
2. The --ping-user-agent command-line flag is set or the --gcp-healthchecks flag is enabled.

Deployments using other integration methods (like the standard reverse proxy mode) or without these specific flags enabled are not affected.

Remediation and Mitigation

The primary and definitive remediation is to update OAuth2 Proxy to version 7.15.2 or later. This version contains the fix that ensures health check User-Agent matching is restricted to the actual health check endpoint paths.

Immediate Action:

1. Patch: Upgrade all instances of OAuth2 Proxy to version 7.15.2.
2. Verify Configuration: If immediate patching is not possible, review your configuration. Temporarily disabling the --ping-user-agent or --gcp-healthchecks options will mitigate the vulnerability but will also disable intended health check functionality.
3. Monitor: Review access logs for requests using the health check User-Agent string that are not directed to the expected health check endpoints.

For the latest cybersecurity news on emerging threats, visit our security news section.

Security Insight

This vulnerability highlights the inherent risk in overloading the semantics of a health check endpoint. Treating a health check as an authentication bypass vector is a recurring pattern, similar to past flaws in other proxies and API gateways. It underscores the necessity for security-focused code review of all request-handling logic, even for seemingly innocuous features like uptime monitoring, to ensure they cannot be repurposed for privilege escalation.

Update - May 2026

Since initial publication on April 14, no patches beyond the v7.15.2 fix have been released by the OAuth2 Proxy maintainers for CVE-2026-34457. The vulnerability remains unpatched for any deployments still running versions prior to 7.15.2. As of May 11, this CVE is not listed in CISA’s Known Exploited Vulnerabilities catalog, though monitoring is advised given the critical severity. The EPSS score has increased from 0.00098 to 0.0013 (32nd percentile), indicating slightly elevated but still low exploitation probability in the wild.

No related CVEs in the same software family have been published this month. No confirmed real-world exploitation reports have been observed in open threat intelligence feeds as of this update, and no public detection signatures or proof-of-concept exploits have been made available.

Defenders should immediately verify that all instances of OAuth2 Proxy are running version 7.15.2 or later. For environments where upgrading is not immediately feasible, ensure that the configuration does not expose the bypass trigger condition described in the advisory - specifically, review OAuth provider endpoint validation settings and authentication callback handling. Continue monitoring CISA KEV and track EPSS scores for escalation signals.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs