CVE-2026-41059
Authentication Bypass in OAuth2 Proxy via Skip-Auth Route Misconfiguration
Publication date: 2026-04-22
Last updated on: 2026-04-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oauth2_proxy_project | oauth2_proxy | From 7.5.0 (inc) to 7.15.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects OAuth2 Proxy versions 7.5.0 through 7.15.1 and involves a configuration-dependent authentication bypass. It occurs when certain skip-authentication options (`skip_auth_routes` or `skip_auth_regex`) are used with patterns that can be extended by attacker-controlled suffixes. An attacker can craft a request containing a number sign (#) or its encoded form (%23) in the path, causing OAuth2 Proxy to incorrectly match a public allowlist rule while the backend serves a protected resource. This allows an unauthenticated attacker to access protected resources.
The issue arises because some upstream applications interpret the number sign as a fragment delimiter, which affects how the request is routed. Deployments that do not use these skip-auth options or use tightly scoped exact path rules are not affected. A fix was introduced in version 7.15.2 to normalize request paths more conservatively before matching skip-auth rules.
Mitigations for users who cannot upgrade immediately include tightening or removing broad skip-auth rules, rejecting requests containing %23 or # at ingress points, and avoiding placing sensitive paths behind broad skip-auth rules.
How can this vulnerability impact me? :
This vulnerability can allow an unauthenticated attacker to bypass authentication controls and access protected resources that should require authentication. This can lead to unauthorized access to sensitive information or functionality within the protected upstream applications.
The impact includes potential exposure of confidential data and partial compromise of the integrity of the protected applications, as attackers can access resources without proper credentials.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your OAuth2 Proxy deployment uses the vulnerable versions 7.5.0 through 7.15.1 with configuration settings that include skip_auth_routes or skip_auth_regex patterns that can be widened by attacker-controlled suffixes.
You can look for requests containing a number sign (#) or its encoded form (%23) in the path, which may indicate attempts to exploit the authentication bypass.
Commands to help detect such attempts might include searching web server or proxy logs for these characters in URLs, for example using grep:
- grep -E '%23|#' /var/log/oauth2_proxy/access.log
- tcpdump or Wireshark filters to capture HTTP requests containing %23 or # in the path.
Additionally, reviewing your OAuth2 Proxy configuration for the presence of skip_auth_routes or skip_auth_regex with broad wildcard patterns can help identify vulnerable setups.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include tightening or removing skip_auth_routes and skip_auth_regex rules, especially those with broad wildcard patterns that can be exploited.
Replace broad rules with exact, anchored public paths and explicit HTTP methods to reduce the attack surface.
Reject requests containing the character '#' or its encoded form '%23' at the ingress, load balancer, or web application firewall (WAF) level to prevent exploitation.
Avoid placing sensitive application paths behind broad skip_auth_routes rules.
Ultimately, upgrade to OAuth2 Proxy version 7.15.2 or later, where the fix has been implemented to normalize request paths before skip-auth matching.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an unauthenticated attacker to bypass authentication under certain configuration conditions, potentially exposing protected resources. Such unauthorized access could lead to the exposure of sensitive personal or protected health information.
Exposure of sensitive data due to authentication bypass may result in non-compliance with regulations like GDPR and HIPAA, which require strict access controls and protection of personal and health information.
Mitigations such as tightening authentication rules and rejecting requests with certain characters can reduce the risk, helping maintain compliance.