{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/oauth2proxy/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-41059"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OAuth2 Proxy"],"_cs_severities":["high"],"_cs_tags":["oauth2proxy","authentication-bypass","cve"],"_cs_type":"advisory","_cs_vendors":["OAuth2 Proxy"],"content_html":"\u003cp\u003eOAuth2 Proxy, a reverse proxy providing authentication using OAuth2 providers, is susceptible to an authentication bypass vulnerability (CVE-2026-41059) affecting versions 7.5.0 through 7.15.1. This vulnerability arises when specific configurations are in place: the use of \u003ccode\u003eskip_auth_routes\u003c/code\u003e or the legacy \u003ccode\u003eskip_auth_regex\u003c/code\u003e with patterns vulnerable to attacker-controlled suffix widening (e.g., \u003ccode\u003e^/foo/.*/bar$\u003c/code\u003e), and protected upstream applications that interpret \u003ccode\u003e#\u003c/code\u003e as a fragment delimiter.  An attacker can exploit this by crafting requests containing a number sign (\u003ccode\u003e#\u003c/code\u003e or its encoded form \u003ccode\u003e%23\u003c/code\u003e) to match public allowlist rules, while the backend inadvertently serves protected resources.  Organizations using OAuth2 Proxy within this vulnerable range should upgrade to version 7.15.2 or implement mitigations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an OAuth2 Proxy instance running a vulnerable version (7.5.0 - 7.15.1) and configuration, specifically utilizing \u003ccode\u003eskip_auth_routes\u003c/code\u003e or \u003ccode\u003eskip_auth_regex\u003c/code\u003e with overly permissive patterns.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting a protected resource, embedding a \u003ccode\u003e#\u003c/code\u003e or \u003ccode\u003e%23\u003c/code\u003e within the URI path. For example, a request to \u003ccode\u003e/foo/secret%23bar\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eOAuth2 Proxy evaluates the request against the configured \u003ccode\u003eskip_auth_routes\u003c/code\u003e or \u003ccode\u003eskip_auth_regex\u003c/code\u003e rules.  The crafted path bypasses the authentication check because the initial segment matches the allowed pattern (e.g., \u003ccode\u003e/foo/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eOAuth2 Proxy forwards the request to the upstream application without authentication.\u003c/li\u003e\n\u003cli\u003eThe upstream application receives the request. Due to the presence of \u003ccode\u003e#\u003c/code\u003e or \u003ccode\u003e%23\u003c/code\u003e, the application might interpret the URL differently, possibly ignoring the fragment and routing the request to the protected resource (e.g., \u003ccode\u003e/foo/secret\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe upstream application, believing the request is legitimate, processes the request and potentially returns sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the unauthorized response from the upstream application, successfully bypassing authentication.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41059 allows unauthenticated attackers to access protected resources and sensitive data behind OAuth2 Proxy. The impact is highly dependent on the nature of the protected resources, potentially leading to data breaches, unauthorized access to administrative interfaces, and other security compromises. The number of affected organizations is unknown but depends on the prevalence of vulnerable OAuth2 Proxy configurations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OAuth2 Proxy to version 7.15.2 or later to patch CVE-2026-41059.\u003c/li\u003e\n\u003cli\u003eTighten or remove \u003ccode\u003eskip_auth_routes\u003c/code\u003e and \u003ccode\u003eskip_auth_regex\u003c/code\u003e rules, especially patterns that use broad wildcards across path segments, as mentioned in the advisory for CVE-2026-41059.\u003c/li\u003e\n\u003cli\u003eImplement ingress, load balancer, or WAF rules to reject requests whose path contains \u003ccode\u003e%23\u003c/code\u003e or \u003ccode\u003e#\u003c/code\u003e, as recommended in the CVE-2026-41059 advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;OAuth2 Proxy Authentication Bypass Attempt via URL Fragment\u0026quot; to detect exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-oauth2-auth-bypass/","summary":"OAuth2 Proxy versions 7.5.0 through 7.15.1 are vulnerable to an authentication bypass (CVE-2026-41059) due to improper handling of URL fragments in conjunction with `skip_auth_routes` or `skip_auth_regex`, potentially allowing unauthenticated access to protected resources.","title":"OAuth2 Proxy Authentication Bypass Vulnerability (CVE-2026-41059)","url":"https://feed.craftedsignal.io/briefs/2024-01-09-oauth2-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Oauth2proxy","version":"https://jsonfeed.org/version/1.1"}