Lucene search
+L

156 matches found

EUVD
EUVD
added 2026/04/21 11:17 p.m.6 views

EUVD-2026-24559

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 have a configuration-dependent authentication bypass. Deployments are affected when all of the following are true: Use of skipauthroutes or the legacy skipauthregex; use of patterns...

8.2CVSS5.7AI score0.00275EPSS
Exploits0References1
CVE
CVE
added 2026/04/21 11:17 p.m.72 views

CVE-2026-41059

The CVE concerns OAuth2 Proxy (versions 7.5.0–7.15.1) where a configuration-driven authentication bypass can occur due to patterns in skip_auth_routes or legacy skip_auth_regex. Attacks are possible when attacker-controlled suffixes widen patterns (for example, ^/foo/.*/bar$) so that a # in the p...

8.2CVSS5.7AI score0.00275EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/04/21 11:17 p.m.3 views

CVE-2026-41059 OAuth2 Proxy has an Authentication Bypass via Fragment Confusion in skip_auth_routes and skip_auth_regex

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 have a configuration-dependent authentication bypass. Deployments are affected when all of the following are true: Use of skipauthroutes or the legacy skipauthregex; use of patterns...

8.2CVSS5.9AI score0.00275EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/21 7:11 p.m.6 views

Incorrect Authorization

Overview github.com/oauth2-proxy/oauth2-proxy is a reverse proxy that provides authentication with Google, Github or other providers. Affected versions of this package are vulnerable to Incorrect Authorization in the email domain validation. An attacker can gain unauthorized access by submitting ...

7.6CVSS5.5AI score0.00209EPSS
Exploits0References2
NVD
NVD
added 2026/04/21 5:16 p.m.5 views

CVE-2026-40574

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Prior to 7.15.2, an authorization bypass exists in OAuth2 Proxy as part of the emaildomain enforcement option. An attacker may be able to authenticate with an email claim such as [email protected]@company.com and...

6.8CVSS0.00209EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/21 4:32 p.m.35 views

CVE-2026-40574 OAuth2 Proxy has an Authorization Bypass in Email Domain Validation via Malformed Multi-@ Email Claims

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Prior to 7.15.2, an authorization bypass exists in OAuth2 Proxy as part of the emaildomain enforcement option. An attacker may be able to authenticate with an email claim such as [email protected]@company.com and...

6.8CVSS0.00209EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/21 4:32 p.m.6 views

CVE-2026-40574

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Prior to 7.15.2, an authorization bypass exists in OAuth2 Proxy as part of the emaildomain enforcement option. An attacker may be able to authenticate with an email claim such as [email protected]@company.com and...

6.8CVSS5.7AI score0.00209EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/04/21 4:32 p.m.22 views

CVE-2026-40574

CVE-2026-40574 affects OAuth2 Proxy. Affected: deployments using email_domain restrictions. Issue: authorization bypass where an attacker can use a malformed multi-@ email claim (e.g., [email protected]@company.com) to satisfy a company.com domain check, even though the claim is not a valid email...

6.8CVSS5.7AI score0.00209EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/04/16 11:45 p.m.2 views

BIT-OAUTH2-PROXY-2026-34457 OAuth2 Proxy: Health Check User-Agent Matching Bypasses Authentication in auth_request Mode

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions prior to 7.15.2 contain a configuration-dependent authentication bypass in deployments where OAuth2 Proxy is used with an authrequest-style integration such as nginx authrequest and either...

9.1CVSS5.8AI score0.00475EPSS
Exploits0References3
OSV
OSV
added 2026/04/15 7:24 p.m.6 views

GHSA-PXQ7-H93F-9JRG OAuth2 Proxy has an Authentication Bypass via Fragment Confusion in skip_auth_routes and skip_auth_regex

Impact A configuration-dependent authentication bypass exists in OAuth2 Proxy. Deployments are affected when all of the following are true: Use of skipauthroutes or the legacy skipauthregex Use of patterns that can be widened by attacker-controlled suffixes, such as ^/foo/./bar$ causing potential...

8.2CVSS5.8AI score0.00275EPSS
Exploits0References3
OSV
OSV
added 2026/04/15 7:23 p.m.4 views

GHSA-C5C4-8R6X-56W3 OAuth2 Proxy has an Authorization Bypass in Email Domain Validation via Malformed Multi-@ Email Claims

Impact An authorization bypass exists in OAuth2 Proxy as part of the emaildomain enforcement option. An attacker may be able to authenticate with an email claim such as [email protected]@company.com and satisfy an allowed domain check for company.com, even though the claim is not a valid email...

6.8CVSS5.8AI score0.00209EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/04/15 7:23 p.m.11 views

OAuth2 Proxy has an Authorization Bypass in Email Domain Validation via Malformed Multi-@ Email Claims

Impact An authorization bypass exists in OAuth2 Proxy as part of the emaildomain enforcement option. An attacker may be able to authenticate with an email claim such as [email protected]@company.com and satisfy an allowed domain check for company.com, even though the claim is not a valid email...

6.8CVSS5.8AI score0.00209EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/04/15 7:21 p.m.4 views

GHSA-7X63-XV5R-3P2X OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing

Impact A configuration-dependent authentication bypass exists in OAuth2 Proxy. Deployments are affected when all of the following are true: OAuth2 Proxy is configured with --reverse-proxy and at least one rule is defined with --skipauthroutes or the legacy --skip-auth-regex OAuth2 Proxy may trust...

9.1CVSS5.9AI score0.00477EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/04/15 7:21 p.m.11 views

OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing

Impact A configuration-dependent authentication bypass exists in OAuth2 Proxy. Deployments are affected when all of the following are true: OAuth2 Proxy is configured with --reverse-proxy and at least one rule is defined with --skipauthroutes or the legacy --skip-auth-regex OAuth2 Proxy may trust...

9.1CVSS5.9AI score0.00477EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/15 12:0 a.m.7 views

PT-2026-33224

Name of the Vulnerable Software and Affected Versions OAuth2 Proxy versions prior to 7.15.2 Description A configuration-dependent authentication bypass occurs when OAuth2 Proxy is configured with --reverse-proxy and has at least one rule defined using --skip auth routes or --skip-auth-regex. In...

9.1CVSS5.8AI score0.00477EPSS
Exploits0References14
NVD
NVD
added 2026/04/14 11:16 p.m.5 views

CVE-2026-34457

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions prior to 7.15.2 contain a configuration-dependent authentication bypass in deployments where OAuth2 Proxy is used with an authrequest-style integration such as nginx authrequest and either...

9.1CVSS0.00475EPSS
Exploits0References2
NVD
NVD
added 2026/04/14 11:16 p.m.4 views

CVE-2026-34454

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be...

3.5CVSS0.00183EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/14 11:11 p.m.5 views

Insufficient Session Expiration

Overview github.com/oauth2-proxy/oauth2-proxy/v7 is a reverse proxy that provides authentication with Google, Github or other providers. Affected versions of this package are vulnerable to Insufficient Session Expiration through the SignInPage handler in oauthproxy.go. An attacker can keep a...

6.9CVSS5.8AI score0.00183EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/14 10:31 p.m.6 views

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation via the isHealthCheckRequest function in pkg/middleware/healthcheck.go. An attacker can reach protected endpoints by sending a request with a configured health-check User-Agent, causing the middleware to treat the...

9.3CVSS5.7AI score0.00475EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/14 10:31 p.m.18 views

OAuth2 Proxy's Health Check User-Agent Matching Bypasses Authentication in auth_request Mode

Impact A configuration-dependent authentication bypass exists in OAuth2 Proxy. Deployments are affected when all of the following are true: - OAuth2 Proxy is used with an authrequest-style integration for example, nginx authrequest - --ping-user-agent is set or --gcp-healthchecks is enabled In...

9.1CVSS5.9AI score0.00475EPSS
Exploits0References4Affected Software2
Rows per page
Query Builder