GHSA-PXQ7-H93F-9JRG

Vulnerability from github – Published: 2026-04-15 19:24 – Updated: 2026-04-15 19:24
VLAI?
Summary
OAuth2 Proxy has an Authentication Bypass via Fragment Confusion in skip_auth_routes and skip_auth_regex
Details

Impact

A configuration-dependent authentication bypass exists in OAuth2 Proxy.

Deployments are affected when all of the following are true:

  • Use of skip_auth_routes or the legacy skip_auth_regex * Use of patterns that can be widened by attacker-controlled suffixes, such as ^/foo/.*/bar$ causing potential exposure of /foo/secret * Protected upstream applications that interpret # as a fragment delimiter or otherwise route the request to the protected base path

In deployments that rely on these settings, an unauthenticated attacker can send a crafted request containing a number sign in the path, including the browser-safe encoded form %23, so that OAuth2 Proxy matches a public allowlist rule while the backend serves a protected resource.

Deployments that do not use these skip-auth options, or that only allow exact public paths with tightly scoped method and path rules, ARE NOT affected.

Patches

A fix has been implemented to normalize request paths more conservatively before skip-auth matching so fragment content does not influence allowlist decisions.

Released as part of v7.15.2

Workarounds

Users who cannot upgrade immediately can reduce exposure by tightening or removing skip_auth_routes and skip_auth_regex rules, especially patterns that use broad wildcards across path segments.

Recommended mitigations:

  • Replace broad rules with exact, anchored public paths and explicit HTTP methods
  • Reject requests whose path contains %23 or # at the ingress, load balancer, or WAF level
  • Avoid placing sensitive application paths behind broad skip_auth_routes rules
Severity ?
8.2 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/oauth2-proxy/oauth2-proxy/v7"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.5.0"
            },
            {
              "fixed": "7.15.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-15T19:24:13Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nA configuration-dependent authentication bypass exists in OAuth2 Proxy.\n\nDeployments are affected when all of the following are true:\n\n* Use of `skip_auth_routes` or the legacy `skip_auth_regex` * Use of patterns that can be widened by attacker-controlled suffixes,    such as `^/foo/.*/bar$` causing potential exposure of `/foo/secret` * Protected upstream applications that interpret `#` as a fragment delimiter    or otherwise route the request to the protected base path\n\nIn deployments that rely on these settings, an unauthenticated attacker can send a crafted request containing a number sign in the path, including the browser-safe encoded form `%23`, so that OAuth2 Proxy matches a public allowlist rule while the backend serves a protected resource.\n\nDeployments that do not use these skip-auth options, or that only allow exact public paths with tightly scoped method and path rules, **ARE NOT** affected.\n\n### Patches\n\nA fix has been implemented to normalize request paths more conservatively before skip-auth matching so fragment content does not influence allowlist decisions.\n\nReleased as part of `v7.15.2`\n\n### Workarounds\n\nUsers who cannot upgrade immediately can reduce exposure by tightening or removing `skip_auth_routes` and `skip_auth_regex` rules, especially patterns that use broad wildcards across path segments.\n\nRecommended mitigations:\n\n* Replace broad rules with exact, anchored public paths and explicit HTTP methods\n* Reject requests whose path contains `%23` or `#` at the ingress, load balancer, or WAF level\n* Avoid placing sensitive application paths behind broad `skip_auth_routes` rules",
  "id": "GHSA-pxq7-h93f-9jrg",
  "modified": "2026-04-15T19:24:13Z",
  "published": "2026-04-15T19:24:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-pxq7-h93f-9jrg"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/oauth2-proxy/oauth2-proxy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OAuth2 Proxy has an Authentication Bypass via Fragment Confusion in skip_auth_routes and skip_auth_regex"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.