Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-34457

CVE-2026-34457: OAuth2 Proxy Authentication Bypass Issue

CVE-2026-34457 is an authentication bypass flaw in OAuth2 Proxy affecting deployments with auth_request integration and specific health check configurations. This article covers technical details, affected versions, and fixes.

Published: April 17, 2026

CVE-2026-34457 Overview

CVE-2026-34457 is an authentication bypass vulnerability in OAuth2 Proxy, a widely-used reverse proxy that provides authentication using OAuth2 providers. This critical flaw allows unauthenticated remote attackers to bypass authentication controls and access protected upstream resources by exploiting a configuration-dependent weakness in health check handling.

The vulnerability exists in deployments where OAuth2 Proxy is used with an auth_request-style integration (such as nginx auth_request) and either the --ping-user-agent flag is set or --gcp-healthchecks is enabled. In these configurations, OAuth2 Proxy incorrectly treats any request containing the configured health check User-Agent value as a successful health check, regardless of the actual requested path. This design flaw allows attackers to simply spoof the User-Agent header to gain unauthorized access to protected resources.

Critical Impact

Unauthenticated remote attackers can completely bypass OAuth2 authentication by spoofing the health check User-Agent header, potentially gaining access to sensitive protected applications and data.

Affected Products

  • OAuth2 Proxy versions prior to 7.15.2
  • Deployments using auth_request-style integration (e.g., nginx auth_request)
  • Configurations with --ping-user-agent or --gcp-healthchecks enabled

Discovery Timeline

  • 2026-04-14 - CVE-2026-34457 published to NVD
  • 2026-04-14 - Last updated in NVD database

Technical Details for CVE-2026-34457

Vulnerability Analysis

This vulnerability (CWE-290: Authentication Bypass by Spoofing) exploits a fundamental flaw in how OAuth2 Proxy validates health check requests. The proxy is designed to allow health check endpoints to bypass authentication for monitoring and orchestration purposes. However, the implementation fails to properly scope this bypass to specific health check paths.

When an attacker sets the User-Agent header to match the configured health check value (either via --ping-user-agent or the default GCP health check agent), the proxy incorrectly assumes the entire request is a legitimate health check. This allows the request to pass through without authentication, regardless of whether it targets /ping, /ready, or any other protected path.

The attack surface is network-based and requires no authentication or user interaction, making it trivially exploitable in affected configurations. An attacker with network access to the OAuth2 Proxy can gain full access to any upstream resources that the proxy protects.

Root Cause

The root cause is improper validation logic in the health check authentication bypass mechanism. The proxy evaluates the User-Agent header before checking the request path, and a matching User-Agent causes the authentication check to be skipped entirely. The correct behavior should require both a matching User-Agent AND a valid health check path (/ping or /ready) for the authentication bypass to apply.

Attack Vector

The attack vector is network-based and straightforward to exploit. An attacker can craft HTTP requests with the spoofed User-Agent header to access any protected resource:

  1. Reconnaissance: Identify that the target uses OAuth2 Proxy with nginx auth_request integration
  2. Configuration Discovery: Determine if --ping-user-agent or --gcp-healthchecks is enabled (GCP health check agents are publicly documented)
  3. Exploitation: Send requests to protected resources with the spoofed User-Agent header
  4. Access: Bypass authentication entirely and interact with upstream applications

For GCP deployments, the health check User-Agent values are well-documented (GoogleHC/1.0), making exploitation even more straightforward. Custom --ping-user-agent values may require additional reconnaissance but provide no additional security.

Detection Methods for CVE-2026-34457

Indicators of Compromise

  • Requests to protected application paths containing health check User-Agent strings (e.g., GoogleHC/1.0)
  • Unusual access patterns to sensitive endpoints from non-health-check sources
  • Authentication bypass events where protected resources are accessed without valid OAuth2 sessions
  • Requests from external IP addresses containing internal health check User-Agent values

Detection Strategies

  • Monitor access logs for requests with health check User-Agent values accessing non-health-check paths
  • Implement anomaly detection for User-Agent header spoofing attempts
  • Review OAuth2 Proxy logs for authentication bypass events correlated with health check User-Agent values
  • Deploy web application firewalls (WAF) to detect and block User-Agent spoofing patterns

Monitoring Recommendations

  • Enable detailed access logging on OAuth2 Proxy and upstream applications
  • Create alerts for health check User-Agent strings appearing in requests to protected resources
  • Monitor for unusual authentication bypass patterns in security information and event management (SIEM) systems
  • Audit network traffic for requests originating outside expected health check infrastructure

How to Mitigate CVE-2026-34457

Immediate Actions Required

  • Upgrade OAuth2 Proxy to version 7.15.2 or later immediately
  • If immediate upgrade is not possible, disable --ping-user-agent and --gcp-healthchecks flags
  • Review access logs for signs of exploitation
  • Implement additional network-layer controls to restrict health check access to trusted sources only

Patch Information

The vulnerability is fixed in OAuth2 Proxy version 7.15.2. Organizations should upgrade to this version or later to remediate the vulnerability. The fix ensures that health check authentication bypass only applies to designated health check paths, not to arbitrary paths based solely on User-Agent matching.

For detailed release information, refer to the GitHub Release v7.15.2 and the GitHub Security Advisory GHSA-5hvv-m4w4-gf6v.

Workarounds

  • Disable the --ping-user-agent flag if not strictly required for operations
  • Disable --gcp-healthchecks and implement alternative health check mechanisms
  • Restrict network access to OAuth2 Proxy health check endpoints using firewall rules or network policies
  • Implement additional authentication layers at the upstream application level as defense in depth
bash
# Example: Disable vulnerable health check options in OAuth2 Proxy configuration
# Remove or comment out these flags from your OAuth2 Proxy startup configuration:
# --ping-user-agent=<custom-agent>
# --gcp-healthchecks

# Instead, use network-level restrictions for health checks:
# In nginx, restrict /ping and /ready to internal networks only:
location = /oauth2/ping {
    allow 10.0.0.0/8;
    allow 172.16.0.0/12;
    allow 192.168.0.0/16;
    deny all;
    proxy_pass http://oauth2-proxy:4180;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechOauth2 Proxy
  • SeverityCRITICAL
  • CVSS Score9.1
  • EPSS Probability0.07%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-290
  • Technical References
  • GitHub Release v7.15.2
  • GitHub Security Advisory GHSA-5hvv-m4w4-gf6v
  • Related CVEs
  • CVE-2026-40574: OAuth2 Proxy Auth Bypass Vulnerability
  • CVE-2026-41059: OAuth2 Proxy Auth Bypass Vulnerability
  • CVE-2026-40575: OAuth2 Proxy Auth Bypass Vulnerability
  • CVE-2026-34454: OAuth2 Proxy Auth Bypass Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English