Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-41059

OAuth2 Proxy has an Authentication Bypass via Fragment Confusion in skip_auth_routes and skip_auth_regex
Back to all
CVE

CVE-2026-41059

OAuth2 Proxy has an Authentication Bypass via Fragment Confusion in skip_auth_routes and skip_auth_regex

Impact

A configuration-dependent authentication bypass exists in OAuth2 Proxy.

Deployments are affected when all of the following are true:

  • Use of skipauthroutes or the legacy skipauthregex  Use of patterns that can be widened by attacker-controlled suffixes,    such as ^/foo/.*/bar$ causing potential exposure of /foo/secret  Protected upstream applications that interpret # as a fragment delimiter    or otherwise route the request to the protected base path

In deployments that rely on these settings, an unauthenticated attacker can send a crafted request containing a number sign in the path, including the browser-safe encoded form %23, so that OAuth2 Proxy matches a public allowlist rule while the backend serves a protected resource.

Deployments that do not use these skip-auth options, or that only allow exact public paths with tightly scoped method and path rules, ARE NOT affected.

Patches

A fix has been implemented to normalize request paths more conservatively before skip-auth matching so fragment content does not influence allowlist decisions.

Released as part of v7.15.2

Workarounds

Users who cannot upgrade immediately can reduce exposure by tightening or removing skipauthroutes and skipauthregex rules, especially patterns that use broad wildcards across path segments.

Recommended mitigations:

  • Replace broad rules with exact, anchored public paths and explicit HTTP methods
  • Reject requests whose path contains %23 or # at the ingress, load balancer, or WAF level
  • Avoid placing sensitive application paths behind broad skipauthroutes rules

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.2
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
C
H
U
8.2
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Related Resources

No items found.

References

https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-pxq7-h93f-9jrg, https://nvd.nist.gov/vuln/detail/CVE-2026-41059, https://github.com/oauth2-proxy/oauth2-proxy

Severity

8.2

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
8.2
EPSS Probability
0.00311%
EPSS Percentile
0.54632%
Introduced Version
7.5.0,v7.11.0,v7.0.0-20250730174658-9ffafad4b2d2,v7.5.0,v7.0.0-20230823131550-7529095e1ac4
Fix Available
7.15.2,v7.15.2,v7.0.0-20260413162901-bdfde725c617

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading