OAuth2 Proxy Auth Bypass Critical Vulnerability (CVE-2026-34457)

The National Vulnerability Database (NVD) has flagged CVE-2026-34457, a critical authentication bypass vulnerability impacting OAuth2 Proxy versions prior to 7.15.2. OAuth2 Proxy, a popular reverse proxy for OAuth2-based authentication, is susceptible to this flaw under specific deployment conditions. This isn’t a blanket vulnerability, which is key. It specifically targets setups where OAuth2 Proxy is integrated using an auth_request-style mechanism, like with nginx’s auth_request module, and either --ping-user-agent is set or --gcp-healthchecks is enabled.

In these configurations, an unauthenticated remote attacker can exploit the proxy’s health check logic. The NVD reports that the affected versions treat any request bearing the configured health check User-Agent value as a legitimate health check, regardless of the requested path. This effectively bypasses authentication, granting unauthorized access to protected upstream resources. The NVD assigns this a CVSS score of 9.1 (CRITICAL), underscoring the severity of unauthenticated access to sensitive systems. Deployments that don’t meet these specific auth_request or health check flag criteria are not affected. The fix is available in version 7.15.2.