Skip to content

OAuth2 Proxy has an Authentication Bypass via Fragment Confusion in skip_auth_routes and skip_auth_regex

High severity GitHub Reviewed Published Apr 14, 2026 in oauth2-proxy/oauth2-proxy

Package

gomod github.com/oauth2-proxy/oauth2-proxy/v7 (Go)

Affected versions

>= 7.5.0, < 7.15.2

Patched versions

7.15.2

Description

Impact

A configuration-dependent authentication bypass exists in OAuth2 Proxy.

Deployments are affected when all of the following are true:

  • Use of skip_auth_routes or the legacy skip_auth_regex * Use of patterns that can be widened by attacker-controlled suffixes, such as ^/foo/.*/bar$ causing potential exposure of /foo/secret * Protected upstream applications that interpret # as a fragment delimiter or otherwise route the request to the protected base path

In deployments that rely on these settings, an unauthenticated attacker can send a crafted request containing a number sign in the path, including the browser-safe encoded form %23, so that OAuth2 Proxy matches a public allowlist rule while the backend serves a protected resource.

Deployments that do not use these skip-auth options, or that only allow exact public paths with tightly scoped method and path rules, ARE NOT affected.

Patches

A fix has been implemented to normalize request paths more conservatively before skip-auth matching so fragment content does not influence allowlist decisions.

Released as part of v7.15.2

Workarounds

Users who cannot upgrade immediately can reduce exposure by tightening or removing skip_auth_routes and skip_auth_regex rules, especially patterns that use broad wildcards across path segments.

Recommended mitigations:

  • Replace broad rules with exact, anchored public paths and explicit HTTP methods
  • Reject requests whose path contains %23 or # at the ingress, load balancer, or WAF level
  • Avoid placing sensitive application paths behind broad skip_auth_routes rules

References

@tuunit tuunit published to oauth2-proxy/oauth2-proxy Apr 14, 2026
Published to the GitHub Advisory Database Apr 15, 2026
Reviewed Apr 15, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS score

Weaknesses

Authentication Bypass Using an Alternate Path or Channel

The product requires authentication, but the product has an alternate path or channel that does not require authentication. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-pxq7-h93f-9jrg

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.