CVE-2026-41059 - Vulnerability Analysis
HighCVSS: 8.2Last Updated: April 22, 2026
OAuth2 Proxy - Authentication Bypass
Published: April 22, 2026Updated: April 22, 2026Remote Exploitable
Overview
OAuth2 Proxy 7.5.0 through 7.15.1 contains an authentication bypass caused by improper normalization of request paths with skip_auth_routes or skip_auth_regex patterns, letting unauthenticated attackers access protected resources, exploit requires use of vulnerable skip-auth configurations with fragment delimiters.
Severity & Score
Severity: High
CVSS Score: 8.2
Impact
Unauthenticated attackers can bypass authentication to access protected resources, risking unauthorized data exposure.
Mitigation
Upgrade to version 7.15.2 or later; alternatively, tighten or remove skip_auth_routes and skip_auth_regex rules and reject requests containing '%23' or '#' at ingress.
Related Resources
Details
- CVE ID
- CVE-2026-41059
- Severity
- High
- CVSS Score
- 8.2
- Type
- broken_authentication
- Status
- new
CWE
- CWE-288
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N