Platform
go
Component
nginx
Opgelost in
7.15.3
7.15.2
A critical authentication bypass vulnerability (CVE-2026-34457) has been identified in OAuth2 Proxy. This flaw allows unauthenticated attackers to bypass authentication and access protected upstream resources in specific configurations. The vulnerability affects deployments utilizing auth_request integration with OAuth2 Proxy, particularly when the --ping-user-agent or --gcp-healthchecks flags are enabled. Upgrade to version 7.15.2 to resolve this issue.
The impact of CVE-2026-34457 is significant due to its potential for complete authentication bypass. An attacker can exploit this vulnerability by crafting a request with the configured health check User-Agent value. OAuth2 Proxy, in vulnerable configurations, will incorrectly interpret this request as a successful health check, granting access to protected resources without proper authentication. This could lead to unauthorized access to sensitive data, modification of system configurations, or even complete compromise of the backend systems protected by OAuth2 Proxy. The blast radius extends to any resource protected by OAuth2 Proxy in affected deployments, potentially impacting a wide range of applications and services.
CVE-2026-34457 was publicly disclosed on 2026-04-14. The vulnerability's ease of exploitation and critical severity suggest a potential for active exploitation. While no public proof-of-concept (PoC) has been widely reported, the simplicity of the attack vector increases the likelihood of exploitation. The vulnerability has been added to the CISA KEV catalog, indicating a heightened risk. Monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns.
Organizations utilizing OAuth2 Proxy for authentication in conjunction with Nginx's auth_request directive are at significant risk. This includes deployments relying on health check endpoints for monitoring and those using --ping-user-agent or --gcp-healthchecks for integration with cloud platforms. Shared hosting environments where OAuth2 Proxy is deployed as a shared service are particularly vulnerable.
• linux / server:
journalctl -u oauth2-proxy | grep -i "health check"• generic web:
curl -I -H "User-Agent: <health_check_user_agent>" https://<protected_resource>Inspect the response headers for signs of unauthorized access. • generic web:
grep -r "--ping-user-agent" /etc/nginx/conf.d/*
grep -r "--gcp-healthchecks" /etc/nginx/conf.d/*Check Nginx configuration files for the presence of these flags.
disclosure
patch
Exploit Status
EPSS
0.09% (25% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-34457 is to upgrade OAuth2 Proxy to version 7.15.2 or later. If an immediate upgrade is not feasible, consider disabling the --ping-user-agent or --gcp-healthchecks flags. Alternatively, implement a Web Application Firewall (WAF) or reverse proxy to filter requests based on the User-Agent header, blocking requests with the health check User-Agent value. Carefully review OAuth2 Proxy configurations to ensure that auth_request integration is not used in conjunction with the vulnerable health check flags. After upgrading, confirm the fix by attempting to access protected resources with a request containing the health check User-Agent; authentication should be required.
Actualice OAuth2 Proxy a la versión 7.15.2 o superior para mitigar la vulnerabilidad. Esta actualización corrige el problema al garantizar que las solicitudes con el User-Agent de verificación de estado de salud sean correctamente autenticadas. Asegúrese de que la configuración de --ping-user-agent o --gcp-healthchecks sea apropiada para su entorno.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-34457 is a critical authentication bypass vulnerability in OAuth2 Proxy affecting deployments using auth_request with --ping-user-agent or --gcp-healthchecks, allowing unauthorized access.
You are affected if you use OAuth2 Proxy with auth_request and either --ping-user-agent or --gcp-healthchecks enabled, and are running a version prior to 7.15.2.
Upgrade OAuth2 Proxy to version 7.15.2 or later. Alternatively, disable --ping-user-agent or --gcp-healthchecks or implement WAF rules.
While no widespread exploitation has been confirmed, the vulnerability's ease of exploitation and critical severity suggest a potential for active exploitation.
Refer to the official OAuth2 Proxy security advisory for detailed information and updates: [https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5x9g-x49g-949x](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5x9g-x49g-949x)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je go.mod-bestand en we vertellen je direct of je getroffen bent.