OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions prior to 7.15.2 contain a configuration-dependent authentication bypass in deployments where OAuth2 Proxy is used with an auth_request-style integration (such as nginx auth_request) and either --ping-user-agent is set or --gcp-healthchecks is enabled. In affected configurations, OAuth2 Proxy treats any request with the configured health check User-Agent value as a successful health check regardless of the requested path, allowing an unauthenticated remote attacker to bypass authentication and access protected upstream resources. Deployments that do not use auth_request-style subrequests or that do not enable --ping-user-agent/--gcp-healthchecks are not affected. This issue is fixed in 7.15.2.
References
| Link | Resource |
|---|---|
| https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2 | Release Notes |
| https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5hvv-m4w4-gf6v | Vendor Advisory Mitigation |
Configurations
History
23 Apr 2026, 14:14
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2 - Release Notes | |
| References | () https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5hvv-m4w4-gf6v - Vendor Advisory, Mitigation | |
| CPE | cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:*:*:*:*:*:*:*:* | |
| First Time |
Oauth2 Proxy Project
Oauth2 Proxy Project oauth2 Proxy |
14 Apr 2026, 23:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-04-14 23:16
Updated : 2026-04-23 14:14
NVD link : CVE-2026-34457
Mitre link : CVE-2026-34457
CVE.ORG link : CVE-2026-34457
JSON object : View
Products Affected
oauth2_proxy_project
- oauth2_proxy
CWE
CWE-290
Authentication Bypass by Spoofing