CVE-2026-34457

Summary

OAuth2 Proxy's Health Check User-Agent Matching Bypasses Authentication in auth_request Mode

Severity

critical

EPSS

0.5% (p37)

Also known as

GHSA-5hvv-m4w4-gf6v#github.com/oauth2-proxy/oauth2-proxy, GHSA-5hvv-m4w4-gf6v#github.com/oauth2-proxy/oauth2-proxy/v7, BIT-oauth2-proxy-2026-34457

Published

2026-04-14

References

• https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5hvv-m4w4-gf6v
• https://nvd.nist.gov/vuln/detail/CVE-2026-34457
• https://github.com/oauth2-proxy/oauth2-proxy

Related advisories

• CVE-2026-40575 — critical · Go/github.com/oauth2-proxy/oauth2-proxy/v7
• CVE-2026-41059 — high · Go/github.com/oauth2-proxy/oauth2-proxy/v7
• CVE-2026-40574 — medium · Go/github.com/oauth2-proxy/oauth2-proxy/v7

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Summarize with AI

ChatGPTClaudePerplexity