OAuth2 Proxy Bypass: Fragment Handling Exposes Protected Resources

The National Vulnerability Database has detailed CVE-2026-41059, a high-severity authentication bypass in OAuth2 Proxy affecting versions 7.5.0 through 7.15.1. This vulnerability allows unauthenticated attackers to access protected resources by manipulating request paths with a number sign (#) or its encoded form (%23). The issue arises when specific skip_auth_routes or skip_auth_regex configurations are in use, particularly those with broad wildcards, and upstream applications interpret # as a fragment delimiter, effectively routing the request to a protected base path.

Attackers can craft requests that match a public allowlist rule in OAuth2 Proxy while the backend application serves content from a normally protected path. Deployments are vulnerable if they utilize configuration patterns like ^/foo/.*/bar$ which can be widened by attacker-controlled suffixes, potentially exposing sensitive paths like /foo/secret. Organizations not using these skip-auth options or those with tightly scoped, exact path rules are not affected.

Version 7.15.2 includes a fix that normalizes request paths more conservatively, preventing fragment content from influencing allowlist decisions. For those unable to upgrade immediately, the National Vulnerability Database recommends tightening or removing broad skip_auth_routes and skip_auth_regex rules. Implement exact, anchored public paths with explicit HTTP methods. Additionally, rejecting requests containing %23 or # at ingress, load balancer, or WAF levels can mitigate exposure. Avoid placing sensitive application paths behind overly broad skip_auth_routes rules.