Vulnerability Details CVE-2026-34457
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions prior to 7.15.2 contain a configuration-dependent authentication bypass in deployments where OAuth2 Proxy is used with an auth_request-style integration (such as nginx auth_request) and either --ping-user-agent is set or --gcp-healthchecks is enabled. In affected configurations, OAuth2 Proxy treats any request with the configured health check User-Agent value as a successful health check regardless of the requested path, allowing an unauthenticated remote attacker to bypass authentication and access protected upstream resources. Deployments that do not use auth_request-style subrequests or that do not enable --ping-user-agent/--gcp-healthchecks are not affected. This issue is fixed in 7.15.2.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 26.8%
CVSS Severity
CVSS v3 Score 9.1
References
Products affected by CVE-2026-34457
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:0.1
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:1.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:1.1
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:1.1.1
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:2.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:2.0.1
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:2.1
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:2.2
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:3.0.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:3.1.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:3.2.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:4.0.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:4.1.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:5.0.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:5.1.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:5.1.1
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:6.0.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:6.1.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:6.1.1
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.0.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.0.1
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.1.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.1.1
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.1.2
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.1.3
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.10.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.11.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.12.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.13.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.14.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.14.1
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.14.2
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.14.3
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.15.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.15.1
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.2.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.2.1
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.3.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.4.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.5.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.5.1
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.6.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.7.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.7.1
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.8.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.8.1
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.8.2
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.9.0