Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.1
OAuth2 Proxy Authentication Bypass with Health Check
GHSA-5hvv-m4w4-gf6v
CVE-2026-34457
BIT-oauth2-proxy-2026-34457
Summary
A specific configuration of OAuth2 Proxy allows unauthorized access to protected resources. This happens when using a health check with a custom User-Agent and an auth_request-style integration. To fix, upgrade to OAuth2 Proxy v7.15.2 or later, or use one of the provided workarounds, such as disabling health checks or removing custom User-Agent headers.
What to do
- Update github.com oauth2-proxy to version 7.15.2.
- Update oauth2-proxy to version 7.15.2.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| go | github.com | oauth2-proxy |
< 7.15.2 Fix: upgrade to 7.15.2
|
| go | github.com | oauth2-proxy | <= 3.2.0 |
| Bitnami | – | oauth2-proxy |
< 7.15.2 Fix: upgrade to 7.15.2
|
Original title
OAuth2 Proxy: Health Check User-Agent Matching Bypasses Authentication in auth_request Mode
Original description
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions prior to 7.15.2 contain a configuration-dependent authentication bypass in deployments where OAuth2 Proxy is used with an auth_request-style integration (such as nginx auth_request) and either --ping-user-agent is set or --gcp-healthchecks is enabled. In affected configurations, OAuth2 Proxy treats any request with the configured health check User-Agent value as a successful health check regardless of the requested path, allowing an unauthenticated remote attacker to bypass authentication and access protected upstream resources. Deployments that do not use auth_request-style subrequests or that do not enable --ping-user-agent/--gcp-healthchecks are not affected. This issue is fixed in 7.15.2.
ghsa CVSS3.1
9.1
Vulnerability type
CWE-290
Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 14 Apr 2026