CVE-2026-41059 Overview
CVE-2026-41059 is an authentication bypass vulnerability affecting OAuth2 Proxy, a widely-used reverse proxy that provides authentication using OAuth2 providers. The vulnerability exists in versions 7.5.0 through 7.15.1 and allows unauthenticated attackers to bypass authentication controls by injecting fragment delimiters into request paths.
The flaw is configuration-dependent and affects deployments using skip_auth_routes or the legacy skip_auth_regex settings with patterns that can be widened by attacker-controlled suffixes. When combined with backend applications that interpret # as a fragment delimiter, attackers can craft malicious requests that match public allowlist rules while the backend serves protected resources.
Critical Impact
Unauthenticated attackers can bypass OAuth2 authentication controls to access protected resources, potentially exposing sensitive application data and functionality to unauthorized access.
Affected Products
- OAuth2 Proxy versions 7.5.0 through 7.15.1
- Deployments using skip_auth_routes or skip_auth_regex with broad wildcard patterns
- Configurations where backend applications interpret # as a fragment delimiter
Discovery Timeline
- 2026-04-22 - CVE-2026-41059 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-41059
Vulnerability Analysis
This authentication bypass vulnerability (CWE-288) stems from improper request path normalization in OAuth2 Proxy when evaluating skip-auth rules. The vulnerability allows attackers to manipulate how the proxy interprets request paths versus how the backend application processes the same requests.
The attack exploits a semantic gap between OAuth2 Proxy's path matching logic and backend application routing behavior. When an attacker includes a number sign (#) or its URL-encoded form (%23) in a request path, OAuth2 Proxy may incorrectly match the request against a public allowlist rule. Meanwhile, the backend application may strip the fragment portion and route the request to a protected resource that should require authentication.
For example, if a deployment has a skip-auth rule like ^/foo/.*/bar$ to allow unauthenticated access to certain paths, an attacker could craft a request such as /foo/secret#/bar or /foo/secret%23bar. OAuth2 Proxy might match this against the allowlist pattern and allow the request through without authentication, while the backend strips the fragment and serves content from the protected /foo/secret path.
Root Cause
The root cause is insufficient path normalization before skip-auth matching. OAuth2 Proxy fails to properly handle fragment delimiters in request paths, allowing fragment content to influence allowlist decisions. This creates a mismatch between the path evaluated by the proxy's authentication logic and the path ultimately served by the backend application.
The vulnerability is exacerbated when administrators configure broad wildcard patterns in skip_auth_routes or skip_auth_regex settings, as these patterns are more susceptible to being exploited through suffix injection attacks.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction, making it particularly dangerous for internet-facing deployments. An attacker can exploit this vulnerability by:
- Identifying OAuth2 Proxy deployments with skip_auth_routes or skip_auth_regex configurations
- Analyzing the public allowlist patterns to find rules with broad wildcards
- Crafting requests with # or %23 characters positioned to match allowlist patterns while targeting protected resources
- Sending the malicious request to bypass authentication and access protected content
The attack succeeds when the OAuth2 Proxy evaluates the full path (including the fragment portion) against skip-auth rules, but the backend application interprets the fragment delimiter and routes the request to a different, protected path. This exploitation technique requires no special tools—standard HTTP clients or browsers can be used to craft and send the malicious requests.
Detection Methods for CVE-2026-41059
Indicators of Compromise
- HTTP requests containing %23 or # characters in URL paths (not as true fragment delimiters)
- Unusual access patterns to protected resources without corresponding authentication events
- Log entries showing successful resource access without OAuth2 authentication tokens
- Requests with URL-encoded fragment delimiters followed by path-like suffixes
Detection Strategies
- Monitor web access logs for requests containing %23 in the path portion of URLs
- Implement alerting for access to protected endpoints that lack accompanying authentication token validation
- Review OAuth2 Proxy access logs for requests matching skip-auth rules that should have been authenticated
- Deploy web application firewall (WAF) rules to detect and alert on fragment injection attempts
Monitoring Recommendations
- Enable verbose logging on OAuth2 Proxy to capture full request paths including URL-encoded characters
- Correlate OAuth2 Proxy logs with backend application logs to identify path interpretation discrepancies
- Monitor for increased unauthenticated access attempts to paths containing wildcard patterns in skip-auth rules
- Implement anomaly detection for access patterns that bypass normal authentication flows
How to Mitigate CVE-2026-41059
Immediate Actions Required
- Upgrade OAuth2 Proxy to version 7.15.2 or later, which normalizes request paths more conservatively before skip-auth matching
- Audit all skip_auth_routes and skip_auth_regex configurations for broad wildcard patterns
- Replace broad regex rules with exact, anchored public paths and explicit HTTP methods
- Configure ingress controllers, load balancers, or WAF to reject requests containing %23 or # in URL paths
Patch Information
A fix has been implemented in OAuth2 Proxy version 7.15.2. The patch normalizes request paths more conservatively before skip-auth matching, ensuring that fragment content does not influence allowlist decisions. Users should upgrade to this version or later to fully remediate the vulnerability.
For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Tighten or remove skip_auth_routes and skip_auth_regex rules, especially patterns using broad wildcards across path segments
- Replace broad wildcard patterns with exact path matches (e.g., use /public/resource instead of /public/.*)
- Configure explicit HTTP method restrictions alongside path patterns to limit attack surface
- Deploy WAF rules at the ingress layer to block requests containing %23 or # in URL paths before they reach OAuth2 Proxy
- Avoid placing sensitive application paths behind broad skip_auth_routes rules
# Example: Reject requests with fragment delimiters at nginx ingress level
# Add to nginx configuration to block requests with %23 or # in path
if ($request_uri ~* "%23|#") {
return 400;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
