Description

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions prior to 7.15.2 contain a configuration-dependent authentication bypass in deployments where OAuth2 Proxy is used with an auth_request-style integration (such as nginx auth_request) and either --ping-user-agent is set or --gcp-healthchecks is enabled. In affected configurations, OAuth2 Proxy treats any request with the configured health check User-Agent value as a successful health check regardless of the requested path, allowing an unauthenticated remote attacker to bypass authentication and access protected upstream resources. Deployments that do not use auth_request-style subrequests or that do not enable --ping-user-agent/--gcp-healthchecks are not affected. This issue is fixed in 7.15.2.

INFO

Published Date :

2026-04-14T22:14:38.937Z

Last Modified :

2026-04-15T17:43:30.711Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-34457 vulnerability.

Vendors Products
Oauth2 Proxy Project
  • Oauth2 Proxy
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-34457.

URL Resource
https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2 cve-icon cve-icon
https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5hvv-m4w4-gf6v cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact