{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34457", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T18:18:14.895Z", "datePublished": "2026-04-14T22:14:38.937Z", "dateUpdated": "2026-04-15T17:43:30.711Z"}, "containers": {"cna": {"title": "OAuth2 Proxy: Health Check User-Agent Matching Bypasses Authentication in auth_request Mode", "problemTypes": [{"descriptions": [{"cweId": "CWE-290", "lang": "en", "description": "CWE-290: Authentication Bypass by Spoofing", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5hvv-m4w4-gf6v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5hvv-m4w4-gf6v"}, {"name": "https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2"}], "affected": [{"vendor": "oauth2-proxy", "product": "oauth2-proxy", "versions": [{"version": "< 7.15.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T22:14:38.937Z"}, "descriptions": [{"lang": "en", "value": "OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions prior to 7.15.2 contain a configuration-dependent authentication bypass in deployments where OAuth2 Proxy is used with an auth_request-style integration (such as nginx auth_request) and either --ping-user-agent is set or --gcp-healthchecks is enabled. In affected configurations, OAuth2 Proxy treats any request with the configured health check User-Agent value as a successful health check regardless of the requested path, allowing an unauthenticated remote attacker to bypass authentication and access protected upstream resources. Deployments that do not use auth_request-style subrequests or that do not enable --ping-user-agent/--gcp-healthchecks are not affected. This issue is fixed in 7.15.2."}], "source": {"advisory": "GHSA-5hvv-m4w4-gf6v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T17:43:23.417901Z", "id": "CVE-2026-34457", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T17:43:30.711Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34457", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-15T17:43:23.417901Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T17:43:27.058Z"}}], "cna": {"title": "OAuth2 Proxy: Health Check User-Agent Matching Bypasses Authentication in auth_request Mode", "source": {"advisory": "GHSA-5hvv-m4w4-gf6v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "oauth2-proxy", "product": "oauth2-proxy", "versions": [{"status": "affected", "version": "< 7.15.2"}]}], "references": [{"url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5hvv-m4w4-gf6v", "name": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5hvv-m4w4-gf6v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2", "name": "https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions prior to 7.15.2 contain a configuration-dependent authentication bypass in deployments where OAuth2 Proxy is used with an auth_request-style integration (such as nginx auth_request) and either --ping-user-agent is set or --gcp-healthchecks is enabled. In affected configurations, OAuth2 Proxy treats any request with the configured health check User-Agent value as a successful health check regardless of the requested path, allowing an unauthenticated remote attacker to bypass authentication and access protected upstream resources. Deployments that do not use auth_request-style subrequests or that do not enable --ping-user-agent/--gcp-healthchecks are not affected. This issue is fixed in 7.15.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "CWE-290: Authentication Bypass by Spoofing"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T22:14:38.937Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34457", "state": "PUBLISHED", "dateUpdated": "2026-04-15T17:43:30.711Z", "dateReserved": "2026-03-27T18:18:14.895Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-14T22:14:38.937Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:*:*:*:*:*:*:*:*", "matchCriteriaId": "8ECD42F0-BA8D-4BA5-A347-1CAD636DCF70", "versionEndExcluding": "7.15.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions prior to 7.15.2 contain a configuration-dependent authentication bypass in deployments where OAuth2 Proxy is used with an auth_request-style integration (such as nginx auth_request) and either --ping-user-agent is set or --gcp-healthchecks is enabled. In affected configurations, OAuth2 Proxy treats any request with the configured health check User-Agent value as a successful health check regardless of the requested path, allowing an unauthenticated remote attacker to bypass authentication and access protected upstream resources. Deployments that do not use auth_request-style subrequests or that do not enable --ping-user-agent/--gcp-healthchecks are not affected. This issue is fixed in 7.15.2."}], "id": "CVE-2026-34457", "lastModified": "2026-04-23T14:14:48.253", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-14T23:16:28.330", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Mitigation"], "url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5hvv-m4w4-gf6v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.15.2)"}}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "oauth2-proxy", "source": "cna", "vendor": "oauth2-proxy"}, "product": "oauth2_proxy", "vendor": "oauth2_proxy_project"}], "analysis": {"en": {"generated_at": "2026-04-14T23:50:44.147090+00:00", "value": {"mitigation_remediation": ["Upgrade OAuth2 Proxy to version 7.15.2 or later, where the health\u2011check bypass is resolved.", "If a patch is not immediately available, remove the --ping-user-agent or --gcp-healthchecks flags from the OAuth2 Proxy configuration to disable health\u2011check User\u2011Agent matching.", "Monitor incoming HTTP traffic for requests that contain the health\u2011check User\u2011Agent string and target protected resources, and alert on any such activity to detect exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "The affected product is oauth2-proxy:oauth2-proxy. Deployments using a version earlier than 7.15.2 in an auth_request\u2011style configuration that enable the health\u2011check User\u2011Agent matching via --ping-user-agent or the GCP health\u2011check mode are impacted. Configurations that do not use auth_request sub\u2011requests or do not enable these flags remain unaffected.", "description_and_impact": "OAuth2 Proxy versions before 7.15.2 allow a configuration-dependent authentication bypass when used in auth_request mode with either the --ping-user-agent or --gcp-healthchecks features enabled. The proxy treats any request bearing the specified health\u2011check User\u2011Agent string as a successful health check regardless of the requested path, effectively authenticating the client. An attacker who can send a request with that User\u2011Agent header to any upstream endpoint protected by the proxy can bypass authentication and obtain unauthorized access to the protected resource. The weakness is identified as CWE\u2011290 (Improper Restriction or Check for Validity of Authentication).", "risk_and_exploitability": "The CVSS score of 9.1 indicates a critical level of risk, reflecting remote authentication bypass that could allow unrestricted access to protected services. While EPSS data is not available and the vulnerability is not listed in the KEV catalog, the lack of a current exploit report does not diminish the severity of the flaw, as the bypass can be invoked simply by sending an HTTP request with the matching User\u2011Agent header. The attack vector is network\u2011based and does not require privileged client access; the attacker just needs to craft an HTTP request with the specific User\u2011Agent string used in health checks."}}}}, "created": "2026-04-15T13:48:23.616610+00:00", "updated": "2026-04-15T14:31:57.024934+00:00", "vendors": ["oauth2_proxy_project", "oauth2_proxy_project$PRODUCT$oauth2_proxy"]}