{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41059", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-16T16:43:03.173Z", "datePublished": "2026-04-21T23:17:46.743Z", "dateUpdated": "2026-04-22T13:13:50.227Z"}, "containers": {"cna": {"title": "OAuth2 Proxy has an Authentication Bypass via Fragment Confusion in skip_auth_routes and skip_auth_regex", "problemTypes": [{"descriptions": [{"cweId": "CWE-288", "lang": "en", "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-pxq7-h93f-9jrg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-pxq7-h93f-9jrg"}], "affected": [{"vendor": "oauth2-proxy", "product": "oauth2-proxy", "versions": [{"version": ">= 7.5.0, < 7.15.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T23:17:46.743Z"}, "descriptions": [{"lang": "en", "value": "OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 have a configuration-dependent authentication bypass. Deployments are affected when all of the following are true: Use of `skip_auth_routes` or the legacy `skip_auth_regex`; use of patterns that can be widened by attacker-controlled suffixes, such as `^/foo/.*/bar$` causing potential exposure of `/foo/secret`; and protected upstream applications that interpret `#` as a fragment delimiter or otherwise route the request to the protected base path. In deployments that rely on these settings, an unauthenticated attacker can send a crafted request containing a number sign in the path, including the browser-safe encoded form `%23`, so that OAuth2 Proxy matches a public allowlist rule while the backend serves a protected resource. Deployments that do not use these skip-auth options, or that only allow exact public paths with tightly scoped method and path rules, are not affected. A fix has been implemented in version 7.15.2 to normalize request paths more conservatively before skip-auth matching so fragment content does not influence allowlist decisions. Users who cannot upgrade immediately can reduce exposure by tightening or removing `skip_auth_routes` and `skip_auth_regex` rules, especially patterns that use broad wildcards across path segments. Recommended mitigations include replacing broad rules with exact, anchored public paths and explicit HTTP methods; rejecting requests whose path contains `%23` or `#` at the ingress, load balancer, or WAF level; and/or avoiding placing sensitive application paths behind broad `skip_auth_routes` rules."}], "source": {"advisory": "GHSA-pxq7-h93f-9jrg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T13:13:43.229207Z", "id": "CVE-2026-41059", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:13:50.227Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41059", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T13:13:43.229207Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:13:46.482Z"}}], "cna": {"title": "OAuth2 Proxy has an Authentication Bypass via Fragment Confusion in skip_auth_routes and skip_auth_regex", "source": {"advisory": "GHSA-pxq7-h93f-9jrg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "oauth2-proxy", "product": "oauth2-proxy", "versions": [{"status": "affected", "version": ">= 7.5.0, < 7.15.2"}]}], "references": [{"url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-pxq7-h93f-9jrg", "name": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-pxq7-h93f-9jrg", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 have a configuration-dependent authentication bypass. Deployments are affected when all of the following are true: Use of `skip_auth_routes` or the legacy `skip_auth_regex`; use of patterns that can be widened by attacker-controlled suffixes, such as `^/foo/.*/bar$` causing potential exposure of `/foo/secret`; and protected upstream applications that interpret `#` as a fragment delimiter or otherwise route the request to the protected base path. In deployments that rely on these settings, an unauthenticated attacker can send a crafted request containing a number sign in the path, including the browser-safe encoded form `%23`, so that OAuth2 Proxy matches a public allowlist rule while the backend serves a protected resource. Deployments that do not use these skip-auth options, or that only allow exact public paths with tightly scoped method and path rules, are not affected. A fix has been implemented in version 7.15.2 to normalize request paths more conservatively before skip-auth matching so fragment content does not influence allowlist decisions. Users who cannot upgrade immediately can reduce exposure by tightening or removing `skip_auth_routes` and `skip_auth_regex` rules, especially patterns that use broad wildcards across path segments. Recommended mitigations include replacing broad rules with exact, anchored public paths and explicit HTTP methods; rejecting requests whose path contains `%23` or `#` at the ingress, load balancer, or WAF level; and/or avoiding placing sensitive application paths behind broad `skip_auth_routes` rules."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T23:17:46.743Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41059", "state": "PUBLISHED", "dateUpdated": "2026-04-22T13:13:50.227Z", "dateReserved": "2026-04-16T16:43:03.173Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T23:17:46.743Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:*:*:*:*:*:*:*:*", "matchCriteriaId": "03587628-7B66-41FF-B89D-DF35A5134CD7", "versionEndExcluding": "7.15.2", "versionStartIncluding": "7.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 have a configuration-dependent authentication bypass. Deployments are affected when all of the following are true: Use of `skip_auth_routes` or the legacy `skip_auth_regex`; use of patterns that can be widened by attacker-controlled suffixes, such as `^/foo/.*/bar$` causing potential exposure of `/foo/secret`; and protected upstream applications that interpret `#` as a fragment delimiter or otherwise route the request to the protected base path. In deployments that rely on these settings, an unauthenticated attacker can send a crafted request containing a number sign in the path, including the browser-safe encoded form `%23`, so that OAuth2 Proxy matches a public allowlist rule while the backend serves a protected resource. Deployments that do not use these skip-auth options, or that only allow exact public paths with tightly scoped method and path rules, are not affected. A fix has been implemented in version 7.15.2 to normalize request paths more conservatively before skip-auth matching so fragment content does not influence allowlist decisions. Users who cannot upgrade immediately can reduce exposure by tightening or removing `skip_auth_routes` and `skip_auth_regex` rules, especially patterns that use broad wildcards across path segments. Recommended mitigations include replacing broad rules with exact, anchored public paths and explicit HTTP methods; rejecting requests whose path contains `%23` or `#` at the ingress, load balancer, or WAF level; and/or avoiding placing sensitive application paths behind broad `skip_auth_routes` rules."}], "id": "CVE-2026-41059", "lastModified": "2026-04-27T19:29:00.337", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-22T00:16:27.957", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-pxq7-h93f-9jrg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "github.com/oauth2-proxy/oauth2-proxy: OAuth2 Proxy: Authentication bypass via crafted request path leading to unauthorized access", "id": "2460440", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460440"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-551", "details": ["A flaw was found in OAuth2 Proxy. An unauthenticated attacker can exploit a configuration-dependent authentication bypass by sending a crafted request containing a number sign (#) in the path. This allows the OAuth2 Proxy to incorrectly match a public allowlist rule, leading to the exposure of protected resources from the backend application. This vulnerability can result in unauthorized access to sensitive information."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, review and tighten `skip_auth_routes` and `skip_auth_regex` configurations in OAuth2 Proxy, replacing broad wildcard patterns with exact, anchored public paths and explicit HTTP methods. Additionally, consider implementing ingress, load balancer, or Web Application Firewall (WAF) rules to reject requests containing `%23` or '#' in the path. Avoid placing sensitive application paths behind broadly defined `skip_auth_routes` rules. Configuration changes to OAuth2 Proxy may require a service restart to take effect, which could temporarily impact service availability."}, "name": "CVE-2026-41059", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:9", "fix_state": "Affected", "package_name": "rhceph/oauth2-proxy-rhel9", "product_name": "Red Hat Ceph Storage 9"}], "public_date": "2026-04-21T23:17:46Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-41059\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-41059\nhttps://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-pxq7-h93f-9jrg"], "statement": "This flaw in OAuth2 Proxy allows an unauthenticated attacker to bypass authentication. Exploitation requires a specific configuration utilizing `skip_auth_routes` or `skip_auth_regex` with broad wildcard patterns, combined with a backend application that interprets the '#' character as a fragment delimiter. Red Hat deployments are only affected if these non-default configurations are in place, potentially exposing protected resources.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.5.0,7.15.2)"}}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "oauth2-proxy", "source": "cna", "vendor": "oauth2-proxy"}, "product": "oauth2_proxy", "vendor": "oauth2_proxy_project"}], "analysis": {"en": {"generated_at": "2026-04-29T00:19:54.396950+00:00", "value": {"mitigation_remediation": ["Upgrade OAuth2 Proxy to version 7.15.2 or later, where request paths are normalized to prevent fragment confusion before skip\u2011auth matching.", "If an immediate upgrade is not possible, tighten or remove skip_auth_routes and skip_auth_regex configurations, replacing broad wildcard patterns with exact, anchored paths and explicitly defined HTTP methods.", "Reject or scrub requests that contain a hash fragment (# or %23) at the ingress, load balancer, or WAF level before they reach OAuth2 Proxy."], "summary": {"action": "Immediate Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in oauth2-proxy:oauth2-proxy versions 7.5.0 through 7.15.1 when deployments use skip_auth_routes or skip_auth_regex with patterns that can be widened by attacker\u2011controlled suffixes and when protected upstream services interpret # as a fragment delimiter or route the request to a protected base path. Deployments that do not use these options or that restrict skip\u2011auth rules to exact paths are not affected.", "description_and_impact": "OAuth2 Proxy allows unauthenticated users to obtain protected resources by exploiting fragment confusion. When skip_auth_routes or the legacy skip_auth_regex are configured with patterns that can be broadened by suffixes, the proxy misinterprets a hash\u2011fragment indicator (# or its encoded form %23) in the request path as part of the route pattern. As a result, the proxy believes the request matches a public rule while the downstream application receives a request to a protected resource, effectively bypassing authentication. The flaw is a direct violation of authentication controls and also represents an authorization weakness, documented as CWE\u2011288 and CWE\u2011551.", "risk_and_exploitability": "With a CVSS score of 8.2 this issue is classified as high severity. The EPSS score of 0.204% indicates a very low but non\u2011zero exploitation probability. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw by sending a crafted HTTP request containing a hash fragment to the proxy; the request is then allowed through the proxy\u2019s skip\u2011auth logic and reaches the protected backend. The attack can be performed remotely from any network where the proxy is reachable, and requires no credentials. Based on the description, it is inferred that the attacker can trigger the bypass by simply sending such requests without authentication. Consequently, the risk is significant and warrants immediate remediation."}}}}, "created": "2026-04-22T02:15:05.403304+00:00", "updated": "2026-04-29T00:30:16.119453+00:00", "vendors": ["oauth2_proxy_project", "oauth2_proxy_project$PRODUCT$oauth2_proxy"]}