CVE-2026-34457: Authentication Bypass via User-Agent Spoofing in OAuth2 Proxy

Vulnerability ID: CVE-2026-34457
CVSS Score: 9.1
Published: 2026-04-14

OAuth2 Proxy versions prior to 7.15.2 are vulnerable to a critical authentication bypass (CWE-290) when configured with User-Agent-based health checks in an auth_request architecture. An unauthenticated remote attacker can spoof the health check User-Agent header to bypass authorization checks entirely, gaining access to protected upstream resources.

TL;DR

Unauthenticated remote authentication bypass in OAuth2 Proxy (< 7.15.2) due to permissive health check User-Agent validation in auth_request deployments. Fixed in 7.15.2.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-290
Attack Vector: Network
CVSS Score: 9.1 (Critical)
Impact: Authentication Bypass
Exploit Status: PoC Available
Required Configuration: auth_request + UA Health Checks

Affected Systems

OAuth2 Proxy < 7.15.2 utilizing auth_request and --ping-user-agent
OAuth2 Proxy < 7.15.2 utilizing auth_request and --gcp-healthchecks
OAuth2 Proxy: < 7.15.2 (Fixed in: 7.15.2)

Mitigation Strategies

Upgrade OAuth2 Proxy to version 7.15.2 or later.
Disable User-Agent based health checks.
Implement path-based health check routing.

Remediation Steps:

Identify all OAuth2 Proxy deployments within the environment.
Review configuration files and startup arguments for the presence of --ping-user-agent or --gcp-healthchecks.
If upgrading to 7.15.2 is not immediately feasible, remove these configuration flags to disable User-Agent based exemptions.
Configure cloud load balancers and infrastructure monitors to query the /ping endpoint.
Ensure the frontend proxy (e.g., Nginx) routes /ping requests without triggering the auth_request subrequest cycle.
Deploy OAuth2 Proxy version 7.15.2 to permanently resolve the underlying logic flaw.