CVE-2026-34457
Published: 14 April 2026
Summary
CVE-2026-34457 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Oauth2 Proxy Project Oauth2 Proxy. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating flaws by applying the vendor patch to OAuth2 Proxy version 7.15.2 or later directly eliminates the authentication bypass vulnerability.
Establishing and enforcing secure configuration settings for OAuth2 Proxy, such as disabling --ping-user-agent or --gcp-healthchecks when using auth_request integrations, prevents the User-Agent spoofing bypass.
Restricting OAuth2 Proxy to least functionality by prohibiting unnecessary health check features reduces the attack surface for configuration-dependent authentication bypasses.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in public-facing OAuth2 Proxy (reverse proxy) directly enables T1190 (Exploit Public-Facing Application) for unauthenticated remote access to protected resources.
NVD Description
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions prior to 7.15.2 contain a configuration-dependent authentication bypass in deployments where OAuth2 Proxy is used with an auth_request-style integration (such as nginx auth_request) and either --ping-user-agent is…
more
set or --gcp-healthchecks is enabled. In affected configurations, OAuth2 Proxy treats any request with the configured health check User-Agent value as a successful health check regardless of the requested path, allowing an unauthenticated remote attacker to bypass authentication and access protected upstream resources. Deployments that do not use auth_request-style subrequests or that do not enable --ping-user-agent/--gcp-healthchecks are not affected. This issue is fixed in 7.15.2.
Deeper analysisAI
CVE-2026-34457 is a configuration-dependent authentication bypass vulnerability in OAuth2 Proxy, a reverse proxy that provides authentication using OAuth2 providers. It affects versions prior to 7.15.2 when deployed with an auth_request-style integration, such as nginx auth_request, and either the --ping-user-agent flag or --gcp-healthchecks is enabled. In these setups, OAuth2 Proxy treats any request with the configured health check User-Agent value as a successful health check, irrespective of the requested path. The vulnerability is scored at CVSS 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-290 (Authentication Bypass by Spoofing).
An unauthenticated remote attacker can exploit this issue by crafting a request that mimics the health check User-Agent value. This allows the attacker to bypass authentication entirely and gain unauthorized access to protected upstream resources, potentially leading to high confidentiality and integrity impacts without requiring privileges, user interaction, or scope changes. Deployments not using auth_request-style subrequests or without the specified flags enabled remain unaffected.
The vulnerability is addressed in OAuth2 Proxy version 7.15.2, as detailed in the project's release notes and security advisory. Security practitioners should upgrade to this version or later and review configurations to disable unnecessary health check features if auth_request integrations are in use. Relevant details are available at https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2 and https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5hvv-m4w4-gf6v.
Details
- CWE(s)