OAuth2 Proxy CVE-2026-41059
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 have a configuration-dependent authentication bypass. Deployments are affected when all of the following are true: Use of skip_auth_routes or the legacy skip_auth_regex; use of patterns that can be widened by attacker-controlled suffixes, such as ^/foo/.*/bar$ causing potential exposure of /foo/secret; and protected upstream applications that interpret # as a fragment delimiter or otherwise route the request to the protected base path. In deployments that rely on these settings, an unauthenticated attacker can send a crafted request containing a number sign in the path, including the browser-safe encoded form %23, so that OAuth2 Proxy matches a public allowlist rule while the backend serves a protected resource. Deployments that do not use these skip-auth options, or that only allow exact public paths with tightly scoped method and path rules, are not affected. A fix has been implemented in version 7.15.2 to normalize request paths more conservatively before skip-auth matching so fragment content does not influence allowlist decisions. Users who cannot upgrade immediately can reduce exposure by tightening or removing skip_auth_routes and skip_auth_regex rules, especially patterns that use broad wildcards across path segments. Recommended mitigations include replacing broad rules with exact, anchored public paths and explicit HTTP methods; rejecting requests whose path contains %23 or # at the ingress, load balancer, or WAF level; and/or avoiding placing sensitive application paths behind broad skip_auth_routes rules.
AnalysisAI
Authentication bypass in OAuth2 Proxy 7.5.0-7.15.1 allows remote unauthenticated attackers to access protected resources by exploiting path normalization discrepancies between the proxy and backend services. When deployments use skip_auth_routes or skip_auth_regex with broad wildcard patterns, attackers can inject '#' or '%23' (URL-encoded fragment delimiter) to match public allowlist rules while the upstream application serves sensitive endpoints. CVSS 8.2 (AV:N/AC:L/PR:N/UI:N) reflects network-based unauthenticated access; no public exploit identified at time of analysis. EPSS data not provided. Fixed in version 7.15.2 through conservative path normalization.
Technical ContextAI
OAuth2 Proxy functions as a reverse proxy enforcing authentication via OAuth2/OIDC providers before forwarding requests to upstream applications. The vulnerability (CWE-288: Authentication Bypass Using an Alternate Path or Channel) stems from inconsistent interpretation of URI fragments between OAuth2 Proxy's skip-auth pattern matching logic and backend HTTP servers. Per CPE cpe:2.3:a:oauth2-proxy:oauth2-proxy:*:*:*:*:*:*:*:*, all OAuth2 Proxy versions 7.5.0-7.15.1 are affected. The flaw occurs when skip_auth_routes or skip_auth_regex uses regular expressions with wildcards spanning path segments (e.g., ^/foo/.*/bar$) that inadvertently permit attacker-controlled fragments. HTTP backends treating '#' as a fragment delimiter (per RFC 3986) or applying routing normalization can resolve crafted paths like /foo/secret#/bar to protected resources while OAuth2 Proxy incorrectly matches the literal string against public allowlist patterns. The fix in 7.15.2 normalizes request paths before skip-auth evaluation, stripping fragment components to ensure routing consistency.
RemediationAI
Vendor-released patch: OAuth2 Proxy 7.15.2 implements conservative path normalization stripping fragment content before skip-auth rule evaluation. Upgrade immediately via package manager or container image update; verify using oauth2-proxy --version. For deployments unable to upgrade, apply defense-in-depth mitigations in priority order: (1) Replace broad skip_auth_routes patterns like ^/public/.*/assets$ with exact anchored paths (^/public/css$, ^/public/js$) and explicit HTTP methods (GET only for static assets); (2) Deploy WAF or ingress controller rules rejecting requests containing '#' or '%23' in URI paths-note this may break legitimate applications using fragment identifiers in server-side routing, test thoroughly in staging; (3) Audit backend application routing to confirm fragment-handling behavior, reconfigure applications to reject fragment-containing paths if possible; (4) Remove skip_auth_regex entirely if legacy feature, migrate to skip_auth_routes with method-scoped rules. Consult GitHub advisory https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-pxq7-h93f-9jrg for additional hardening guidance. Each workaround trades operational flexibility for security-exact-path whitelisting increases configuration overhead, fragment rejection may break edge-case applications.
Same technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-pxq7-h93f-9jrg