{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/oauth2-proxy/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["oauth2-proxy","authentication-bypass","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOAuth2 Proxy is vulnerable to an authentication bypass (CVE-2026-34457) when configured with \u003ccode\u003eauth_request\u003c/code\u003e-style integration (e.g., nginx \u003ccode\u003eauth_request\u003c/code\u003e) and either the \u003ccode\u003e--ping-user-agent\u003c/code\u003e option is set or \u003ccode\u003e--gcp-healthchecks\u003c/code\u003e is enabled. This flaw allows an unauthenticated remote attacker to gain unauthorized access to protected upstream resources. The vulnerability exists because OAuth2 Proxy incorrectly treats requests with the configured health check \u003ccode\u003eUser-Agent\u003c/code\u003e value as legitimate health checks, irrespective of the requested path. This bypasses the normal login flow, granting access without proper authentication. Versions prior to v7.15.2 are affected, alongside versions \u0026lt;= 3.2.0. Defenders must take immediate action to remediate affected deployments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an OAuth2 Proxy deployment utilizing \u003ccode\u003eauth_request\u003c/code\u003e and either \u003ccode\u003e--ping-user-agent\u003c/code\u003e or \u003ccode\u003e--gcp-healthchecks\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker determines the configured \u003ccode\u003e--ping-user-agent\u003c/code\u003e value or identifies that \u003ccode\u003e--gcp-healthchecks\u003c/code\u003e is enabled (default User-Agent: GoogleHC/1.0).\u003c/li\u003e\n\u003cli\u003eAttacker crafts an HTTP request to a protected resource, setting the \u003ccode\u003eUser-Agent\u003c/code\u003e header to the configured \u003ccode\u003e--ping-user-agent\u003c/code\u003e value (or \u0026ldquo;GoogleHC/1.0\u0026rdquo; if \u003ccode\u003e--gcp-healthchecks\u003c/code\u003e is enabled).\u003c/li\u003e\n\u003cli\u003eThe reverse proxy (e.g., Nginx) forwards the request to the OAuth2 Proxy\u0026rsquo;s \u003ccode\u003e/oauth2/auth\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eOAuth2 Proxy incorrectly interprets the request as a health check due to the matching \u003ccode\u003eUser-Agent\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eOAuth2 Proxy responds to the reverse proxy with a 200 OK status, indicating successful authentication.\u003c/li\u003e\n\u003cli\u003eThe reverse proxy, believing the authentication was successful, forwards the attacker\u0026rsquo;s request to the protected upstream resource.\u003c/li\u003e\n\u003cli\u003eAttacker successfully accesses the protected resource without authenticating, achieving unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in complete authentication bypass, granting attackers unauthorized access to sensitive resources protected by OAuth2 Proxy. The number of affected deployments is unknown, but any organization using OAuth2 Proxy with the specified configurations is potentially at risk. This can lead to data breaches, service disruption, and other severe security incidents.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to OAuth2 Proxy version \u003ccode\u003ev7.15.2\u003c/code\u003e or later to patch CVE-2026-34457.\u003c/li\u003e\n\u003cli\u003eDisable the \u003ccode\u003e--gcp-healthchecks\u003c/code\u003e flag if it is enabled.\u003c/li\u003e\n\u003cli\u003eRemove any configured \u003ccode\u003e--ping-user-agent\u003c/code\u003e flag.\u003c/li\u003e\n\u003cli\u003eImplement reverse proxy configurations, such as the provided Nginx example, to prevent forwarding client-controlled \u003ccode\u003eUser-Agent\u003c/code\u003e headers to the OAuth2 Proxy \u003ccode\u003e/oauth2/auth\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;OAuth2 Proxy Authentication Bypass Attempt\u0026rdquo; to detect malicious requests exploiting this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-oauth2-bypass/","summary":"A critical authentication bypass vulnerability (CVE-2026-34457) exists in OAuth2 Proxy when used with `auth_request`-style integration and either `--ping-user-agent` is set or `--gcp-healthchecks` is enabled, allowing unauthenticated access to protected resources.","title":"OAuth2 Proxy Authentication Bypass via User-Agent Header","url":"https://feed.craftedsignal.io/briefs/2026-04-oauth2-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Oauth2-Proxy","version":"https://jsonfeed.org/version/1.1"}