CVE-2026-34457: OAuth2 Proxy's Health Check User-Agent Matching Bypasses Authentication in auth_request Mode

April 14, 2026 (updated April 15, 2026)

A configuration-dependent authentication bypass exists in OAuth2 Proxy.

Deployments are affected when all of the following are true:

OAuth2 Proxy is used with an auth_request-style integration (for example, nginx auth_request)
--ping-user-agent is set or --gcp-healthchecks is enabled

In affected configurations, OAuth2 Proxy will treat a request with the configured health check User-Agent value as a successful health check regardless of the requested path. This allows an unauthenticated remote attacker to bypass authentication and access protected upstream resources without completing the normal login flow.

This issue does not affect deployments that do not use auth_request-style subrequests, or that do not enable --ping-user-agent/--gcp-healthchecks.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-34457 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →