Cyber Resilience

CVE-2026-34457

Critical

Published: 14 April 2026

Published
14 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0047 37.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-34457 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Oauth2 Proxy Project Oauth2 Proxy. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-34457 is a configuration-dependent authentication bypass vulnerability in OAuth2 Proxy, a reverse proxy that provides authentication using OAuth2 providers. It affects versions prior to 7.15.2 when deployed with an auth_request-style integration, such as nginx auth_request, and either the --ping-user-agent flag or --gcp-healthchecks is enabled. In these setups, OAuth2 Proxy treats any request with the configured health check User-Agent value as a successful health check, irrespective of the requested path. The vulnerability is scored at CVSS 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-290 (Authentication Bypass by Spoofing).

An unauthenticated remote attacker can exploit this issue by crafting a request that mimics the health check User-Agent value. This allows the attacker to bypass authentication entirely and gain unauthorized access to protected upstream resources, potentially leading to high confidentiality and integrity impacts without requiring privileges, user interaction, or scope changes. Deployments not using auth_request-style subrequests or without the specified flags enabled remain unaffected.

The vulnerability is addressed in OAuth2 Proxy version 7.15.2, as detailed in the project's release notes and security advisory. Security practitioners should upgrade to this version or later and review configurations to disable unnecessary health check features if auth_request integrations are in use. Relevant details are available at https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2 and https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5hvv-m4w4-gf6v.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions prior to 7.15.2 contain a configuration-dependent authentication bypass in deployments where OAuth2 Proxy is used with an auth_request-style integration (such as nginx auth_request) and either --ping-user-agent is…

more

set or --gcp-healthchecks is enabled. In affected configurations, OAuth2 Proxy treats any request with the configured health check User-Agent value as a successful health check regardless of the requested path, allowing an unauthenticated remote attacker to bypass authentication and access protected upstream resources. Deployments that do not use auth_request-style subrequests or that do not enable --ping-user-agent/--gcp-healthchecks are not affected. This issue is fixed in 7.15.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authentication bypass in public-facing OAuth2 Proxy (reverse proxy) directly enables T1190 (Exploit Public-Facing Application) for unauthenticated remote access to protected resources.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40575Same product: Oauth2 Proxy Project Oauth2 Proxy
CVE-2025-54576Same product: Oauth2 Proxy Project Oauth2 Proxy
CVE-2026-41059Same product: Oauth2 Proxy Project Oauth2 Proxy
CVE-2018-25316Shared CWE-290
CVE-2026-0834Shared CWE-290
CVE-2025-69401Shared CWE-290
CVE-2025-27671Shared CWE-290
CVE-2026-31889Shared CWE-290
CVE-2026-35622Shared CWE-290
CVE-2026-8644Shared CWE-290

Affected Assets

oauth2 proxy project
oauth2 proxy
≤ 7.15.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating flaws by applying the vendor patch to OAuth2 Proxy version 7.15.2 or later directly eliminates the authentication bypass vulnerability.

prevent

Establishing and enforcing secure configuration settings for OAuth2 Proxy, such as disabling --ping-user-agent or --gcp-healthchecks when using auth_request integrations, prevents the User-Agent spoofing bypass.

prevent

Restricting OAuth2 Proxy to least functionality by prohibiting unnecessary health check features reduces the attack surface for configuration-dependent authentication bypasses.

References