A critical authentication bypass in OAuth2 Proxy allows unauthenticated remote attackers to access protected upstream resources by spoofing health check requests.

The proxy incorrectly validates requests containing specific User-Agent strings, treating them as health checks regardless of the requested path when used in auth_request configurations.

The vulnerability allows an unauthenticated attacker to bypass established authentication controls entirely. With a CVSS score of 9.1, this provides unauthorized access to sensitive upstream applications, potentially resulting in large-scale data breaches or unauthorized administrative actions.

Immediate Action: Update OAuth2 Proxy to version 7.15.2 or later.

Proactive Monitoring: Review access logs for requests originating from unexpected IPs that utilize the health check User-Agent strings.

Compensating Controls: If immediate patching is not possible, disable the --ping-user-agent or --gcp-healthchecks features, or implement strict IP-based access control lists (ACLs) for health check endpoints.

Public Exploit Available: Unknown

This bypass is particularly dangerous because it exploits a feature intended for monitoring. Security teams must verify their deployment configuration to determine if they are using the affected auth_request integration and apply the patch as a matter of urgency to restore authentication integrity.