CVE-2026-34457: Authentication Bypass via User-Agent Spoofing in OAuth2 Proxy
Vulnerability ID: CVE-2026-34457
CVSS Score: 9.1
Published: 2026-04-14
OAuth2 Proxy versions prior to 7.15.2 are vulnerable to a critical authentication bypass (CWE-290) when configured with User-Agent-based health checks in an auth_request architecture. An unauthenticated remote attacker can spoof the health check User-Agent header to bypass authorization checks entirely, gaining access to protected upstream resources.
TL;DR
Unauthenticated remote authentication bypass in OAuth2 Proxy (< 7.15.2) due to permissive health check User-Agent validation in auth_request deployments. Fixed in 7.15.2.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-290
- Attack Vector: Network
- CVSS Score: 9.1 (Critical)
- Impact: Authentication Bypass
- Exploit Status: PoC Available
- Required Configuration: auth_request + UA Health Checks
Affected Systems
- OAuth2 Proxy < 7.15.2 utilizing auth_request and --ping-user-agent
- OAuth2 Proxy < 7.15.2 utilizing auth_request and --gcp-healthchecks
-
OAuth2 Proxy: < 7.15.2 (Fixed in:
7.15.2)
Mitigation Strategies
- Upgrade OAuth2 Proxy to version 7.15.2 or later.
- Disable User-Agent based health checks.
- Implement path-based health check routing.
Remediation Steps:
- Identify all OAuth2 Proxy deployments within the environment.
- Review configuration files and startup arguments for the presence of
--ping-user-agentor--gcp-healthchecks. - If upgrading to 7.15.2 is not immediately feasible, remove these configuration flags to disable User-Agent based exemptions.
- Configure cloud load balancers and infrastructure monitors to query the
/pingendpoint. - Ensure the frontend proxy (e.g., Nginx) routes
/pingrequests without triggering theauth_requestsubrequest cycle. - Deploy OAuth2 Proxy version 7.15.2 to permanently resolve the underlying logic flaw.
References
Read the full report for CVE-2026-34457 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)