Authentication Bypass in OAuth2 Proxy Affects Multiple Versions
CVE-2026-41059

8.2HIGH

Key Information:

Vendor: Oauth2-proxy
Status: Oauth2-proxy
Vendor: CVE Published:; 21 April 2026

🔔 Create Oauth2-proxy Vulnerability Alert

What is CVE-2026-41059?

OAuth2 Proxy versions 7.5.0 through 7.15.1 exhibit a configuration-dependent authentication bypass vulnerability. This issue arises in environments utilizing 'skip_auth_routes' or legacy 'skip_auth_regex', especially with patterns susceptible to modification by an attacker, potentially exposing secured endpoints. Specifically, an unauthenticated attacker can craft requests containing the fragment delimiter '#', or its encoded form '%23', tricking the proxy into granting access to protected resources by matching allowlist rules. A fix in version 7.15.2 addresses this by normalizing request paths more conservatively, ensuring that fragments do not influence the matching process. Users are advised to tighten or eliminate the use of broad 'skip_auth_routes' and 'skip_auth_regex' configurations, replacing them with precise, anchored rules to enhance security.

Affected Version(s)

oauth2-proxy >= 7.5.0, < 7.15.2

References

https://github.com/oauth2-proxy/oauth2-proxy/security/adv...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-41059 Data

JSON