CVE-2026-34457
Received Received - Intake
Authentication Bypass in OAuth2 Proxy via Health Check User-Agent

Publication date: 2026-04-14

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions prior to 7.15.2 contain a configuration-dependent authentication bypass in deployments where OAuth2 Proxy is used with an auth_request-style integration (such as nginx auth_request) and either --ping-user-agent is set or --gcp-healthchecks is enabled. In affected configurations, OAuth2 Proxy treats any request with the configured health check User-Agent value as a successful health check regardless of the requested path, allowing an unauthenticated remote attacker to bypass authentication and access protected upstream resources. Deployments that do not use auth_request-style subrequests or that do not enable --ping-user-agent/--gcp-healthchecks are not affected. This issue is fixed in 7.15.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34457
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
oauth2_proxy_project oauth2_proxy to 7.15.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OAuth2 Proxy versions prior to 7.15.2 when used with an auth_request-style integration (such as nginx auth_request) and either the --ping-user-agent option is set or --gcp-healthchecks is enabled.

In these affected configurations, OAuth2 Proxy treats any request that has the configured health check User-Agent value as a successful health check regardless of the requested path.

This behavior allows an unauthenticated remote attacker to bypass authentication and access protected upstream resources.

Deployments that do not use auth_request-style subrequests or do not enable --ping-user-agent or --gcp-healthchecks are not affected.

The issue is fixed in version 7.15.2.

Impact Analysis

This vulnerability can allow an unauthenticated remote attacker to bypass authentication controls.

As a result, the attacker can gain unauthorized access to protected upstream resources that should require authentication.

This can lead to exposure of sensitive information or unauthorized actions within the affected system.

Mitigation Strategies

To mitigate this vulnerability, upgrade OAuth2 Proxy to version 7.15.2 or later, where the issue is fixed.

Additionally, review your deployment configuration to ensure that you are not using auth_request-style integrations with either --ping-user-agent set or --gcp-healthchecks enabled, as these settings contribute to the vulnerability.

Compliance Impact

This vulnerability allows an unauthenticated remote attacker to bypass authentication and access protected upstream resources in certain configurations of OAuth2 Proxy. Such unauthorized access to protected resources can lead to exposure of sensitive data.

As a result, this issue could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data.

Organizations using affected versions of OAuth2 Proxy in vulnerable configurations should upgrade to version 7.15.2 to mitigate the risk and maintain compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34457. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart