OAuth2 Proxy patches auth_request health-check auth bypass

1 min readPublished 14 Apr 2026Updated 14 Apr 2026Source: CVEProject (cvelistV5)

CVE-2026-34457 News Web Security Identity

TL;DR — A Critical oauth2-proxy auth bypass lets attackers spoof a “health check” User-Agent to skip authentication in certain auth_request setups.

What happened

OAuth2 Proxy (oauth2-proxy) is a reverse proxy that adds OAuth2/OIDC authentication in front of upstream applications.

CVE-2026-34457 describes a configuration-dependent authentication bypass in deployments that use an auth_request-style integration (for example, nginx auth_request) and either set --ping-user-agent or enable --gcp-healthchecks. In affected configurations, OAuth2 Proxy treats requests with the configured health check User-Agent value as a successful health check regardless of the requested path, allowing an unauthenticated attacker to access protected upstream resources.

Item	Source value
Weakness	`CWE-290` (Authentication Bypass by Spoofing)
Severity	CVSS v3.1 9.1 (Critical)
CVSS vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N`

Why this matters: “special-case” health-check logic is frequently deployed at the edge, and when it can be triggered via client-controlled headers it becomes a high-leverage auth bypass primitive.

Who is impacted

Deployments running oauth2-proxy versions < 7.15.2.
Deployments where all of the following are true:
- OAuth2 Proxy is used with an auth_request-style integration (e.g., nginx auth_request).
- --ping-user-agent is set or --gcp-healthchecks is enabled.
Per the advisory, deployments that do not use auth_request-style subrequests, or that do not enable --ping-user-agent/--gcp-healthchecks, are not affected.

What to do now

Follow vendor remediation guidance and apply a release that includes the fix.
GitHub’s advisory states:

"Users should upgrade to v7.15.2 or later once available."
If you can’t upgrade immediately, GitHub’s advisory lists mitigations:

"Users can mitigate this issue by: disabling --gcp-healthchecks; removing any configured --ping-user-agent; ensuring the reverse proxy does not forward client-controlled User-Agent headers to the OAuth2 Proxy auth subrequest; using path-based health checks only, on dedicated health check endpoints"
Validate your reverse-proxy configuration for any auth_request subrequest locations to ensure the subrequest User-Agent cannot be attacker-controlled (and add regression tests for this class of bypass).

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.