Platform
go
Component
nginx
Fixed in
7.15.3
7.15.2
A critical authentication bypass vulnerability (CVE-2026-34457) has been identified in OAuth2 Proxy. This flaw allows unauthenticated attackers to bypass authentication and access protected upstream resources in specific configurations. The vulnerability affects deployments utilizing auth_request integration with OAuth2 Proxy, particularly when the --ping-user-agent or --gcp-healthchecks flags are enabled. Upgrade to version 7.15.2 to resolve this issue.
The impact of CVE-2026-34457 is significant due to its potential for complete authentication bypass. An attacker can exploit this vulnerability by crafting a request with the configured health check User-Agent value. OAuth2 Proxy, in vulnerable configurations, will incorrectly interpret this request as a successful health check, granting access to protected resources without proper authentication. This could lead to unauthorized access to sensitive data, modification of system configurations, or even complete compromise of the backend systems protected by OAuth2 Proxy. The blast radius extends to any resource protected by OAuth2 Proxy in affected deployments, potentially impacting a wide range of applications and services.
CVE-2026-34457 was publicly disclosed on 2026-04-14. The vulnerability's ease of exploitation and critical severity suggest a potential for active exploitation. While no public proof-of-concept (PoC) has been widely reported, the simplicity of the attack vector increases the likelihood of exploitation. The vulnerability has been added to the CISA KEV catalog, indicating a heightened risk. Monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34457 is to upgrade OAuth2 Proxy to version 7.15.2 or later. If an immediate upgrade is not feasible, consider disabling the --ping-user-agent or --gcp-healthchecks flags. Alternatively, implement a Web Application Firewall (WAF) or reverse proxy to filter requests based on the User-Agent header, blocking requests with the health check User-Agent value. Carefully review OAuth2 Proxy configurations to ensure that auth_request integration is not used in conjunction with the vulnerable health check flags. After upgrading, confirm the fix by attempting to access protected resources with a request containing the health check User-Agent; authentication should be required.
Update OAuth2 Proxy to version 7.15.2 or later to mitigate the vulnerability. This update fixes the issue by ensuring that requests with the health check User-Agent are properly authenticated. Ensure that the configuration of --ping-user-agent or --gcp-healthchecks is appropriate for your environment.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34457 is a critical authentication bypass vulnerability in OAuth2 Proxy affecting deployments using auth_request with --ping-user-agent or --gcp-healthchecks, allowing unauthorized access.
You are affected if you use OAuth2 Proxy with auth_request and either --ping-user-agent or --gcp-healthchecks enabled, and are running a version prior to 7.15.2.
Upgrade OAuth2 Proxy to version 7.15.2 or later. Alternatively, disable --ping-user-agent or --gcp-healthchecks or implement WAF rules.
While no widespread exploitation has been confirmed, the vulnerability's ease of exploitation and critical severity suggest a potential for active exploitation.
Refer to the official OAuth2 Proxy security advisory for detailed information and updates: [https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5x9g-x49g-949x](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5x9g-x49g-949x)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.