Skip to main content

Nginx CVE-2026-34457

| EUVDEUVD-2026-22761 CRITICAL
Authentication Bypass by Spoofing (CWE-290)
2026-04-14 GitHub_M GHSA-5hvv-m4w4-gf6v
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:52 vuln.today
cvss_changed
Patch released
Apr 15, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 15, 2026 - 01:08 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 22:46 euvd
EUVD-2026-22761
Analysis Generated
Apr 14, 2026 - 22:46 vuln.today
CVE Published
Apr 14, 2026 - 22:14 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions prior to 7.15.2 contain a configuration-dependent authentication bypass in deployments where OAuth2 Proxy is used with an auth_request-style integration (such as nginx auth_request) and either --ping-user-agent is set or --gcp-healthchecks is enabled. In affected configurations, OAuth2 Proxy treats any request with the configured health check User-Agent value as a successful health check regardless of the requested path, allowing an unauthenticated remote attacker to bypass authentication and access protected upstream resources. Deployments that do not use auth_request-style subrequests or that do not enable --ping-user-agent/--gcp-healthchecks are not affected. This issue is fixed in 7.15.2.

AnalysisAI

Authentication bypass in OAuth2 Proxy versions before 7.15.2 allows remote unauthenticated attackers to access protected resources when deployed with nginx auth_request integration and health check features enabled. Attackers can spoof health check User-Agent headers to bypass OAuth2 authentication entirely, gaining unauthorized access to upstream applications. CVSS 9.1 (Critical) reflects network-accessible, low-complexity attack requiring no privileges or user interaction. No active exploitation confirmed (not in CISA KEV), but the trivial attack complexity and authentication bypass impact warrant immediate patching in affected deployments using nginx auth_request with --ping-user-agent or --gcp-healthchecks flags.

Technical ContextAI

OAuth2 Proxy is a reverse proxy that enforces OAuth2 authentication before forwarding requests to upstream services. In nginx deployments, the auth_request directive creates subrequests to OAuth2 Proxy to validate authentication before serving protected content. The vulnerability (CWE-290: Authentication Bypass by Spoofing) stems from improper health check request validation. When --ping-user-agent or --gcp-healthchecks is configured, OAuth2 Proxy is intended to respond successfully to health monitoring probes matching specific User-Agent strings. However, affected versions fail to restrict this health check logic to designated health check endpoints, treating ANY request with the configured health check User-Agent as valid regardless of the requested path. This allows attackers to craft HTTP requests with spoofed User-Agent headers to bypass authentication checks entirely, as the proxy returns successful authentication responses to nginx for what should be protected resources. The flaw only manifests in auth_request-style integrations where the proxy's response directly determines access control decisions.

RemediationAI

Immediately upgrade OAuth2 Proxy to version 7.15.2 or later, which contains fixes for the authentication bypass vulnerability. The patched release is available at https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2 with complete remediation for the health check validation flaw. Organizations unable to upgrade immediately should disable --ping-user-agent and --gcp-healthchecks configuration flags as a temporary mitigation, though this impacts health monitoring capabilities. Alternative interim mitigation involves restricting health check endpoints at the nginx level to specific paths and removing auth_request directives from those locations, ensuring health checks do not bypass authentication validation for protected resources. Review nginx configuration to ensure auth_request integration properly isolates health check endpoints from application paths. Consult the GitHub security advisory at https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5hvv-m4w4-gf6v for deployment-specific guidance and configuration validation steps.

More in Nginx

View all
CVE-2013-2028 HIGH POC
7.5 Jul 20

The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2013-4547 HIGH POC
7.5 Nov 23

nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap

CVE-2023-50919 CRITICAL POC
9.8 Jan 12

An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2017-7529 HIGH
7.5 Jul 13

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi

CVE-2016-0742 HIGH
7.5 Feb 15

The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2022-31137 CRITICAL POC
9.8 Jul 08

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8

CVE-2014-3556 MEDIUM
6.8 Dec 29

The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and

CVE-2026-42945 CRITICAL POC
9.2 May 13

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker

Share

CVE-2026-34457 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy