CVE-2026-34457Oauth2_proxy_project · Oauth2_proxy
Vulnerability data via NVD (ingested)
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions prior to 7.15.2 contain a configuration-dependent authentication bypass in deployments where OAuth2 Proxy is used with an auth_request-style integration (such as nginx auth_request) and either --ping-user-agent is set or --gcp-healthchecks is enabled. In affected configurations, OAuth2 Proxy treats any request with the configured health check User-Agent value as a successful health check regardless of the requested path, allowing an unauthenticated remote attacker to bypass authentication and access protected upstream resources. Deployments that do not use auth_request-style subrequests or that do not enable --ping-user-agent/--gcp-healthchecks are not affected. This issue is fixed in 7.15.2.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2026-34457product:"Oauth2 Proxy Project Oauth2 Proxy"http.html:"Oauth2 Proxy"More intel sources (5)
vuln:CVE-2026-34457vulnerabilities.cve_id: CVE-2026-34457CVE-2026-34457CVE-2026-34457"CVE-2026-34457" exploit -site:nvd.nist.gov