Configuration-Dependent Authentication Bypass in OAuth2 Proxy by Oauth2 Proxy
CVE-2026-34457

9.1CRITICAL

Key Information:

Vendor: Oauth2-proxy
Status: Oauth2-proxy
Vendor: CVE Published:; 14 April 2026

🔔 Create Oauth2-proxy Vulnerability Alert

What is CVE-2026-34457?

OAuth2 Proxy, a reverse proxy that provides authentication using OAuth2 providers, is prone to a configuration-dependent authentication bypass issue. This vulnerability affects deployments using an auth_request-style integration (such as nginx auth_request) with either the --ping-user-agent option or --gcp-healthchecks enabled. In these configurations, OAuth2 Proxy fails to properly authenticate requests featuring the designated health check User-Agent value, leading to potential unauthorized access to protected upstream resources by unauthenticated remote attackers. Deployments not using these specific integrations remain unaffected. The issue has been addressed in version 7.15.2.

Affected Version(s)

oauth2-proxy < 7.15.2

References

https://github.com/oauth2-proxy/oauth2-proxy/security/adv...

x_refsource_CONFIRM

https://github.com/oauth2-proxy/oauth2-proxy/releases/tag...

x_refsource_MISC

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Mar 27, 2026

CVE-2026-34457 Data

JSON