Skip to content

oauth2-proxy

v7.15.2 Security

This release patches 1 CVE for security teams tracking exposure across their dependency inventory.

Published 1mo Reverse Proxies & Load Balancers
1 patched CVE
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE GHSA-5hvv-m4w4-gf6v
1 CVEs patched

Topics

cloud-infrastructure oauth2-proxy tls sso

Summary

AI summary

Fixes critical authentication vulnerabilities including session fixation and header spoofing.

Security Fixes

  • CVE-2026-34986, CVE-2026-32281, CVE-2026-32289, CVE-2026-32288, CVE-2026-32280, CVE-2026-32282, CVE-2026-32283
  • GHSA-5hvv-m4w4-gf6v: Health check user-agent authentication bypass (Critical)
  • GHSA-7x63-xv5r-3p2x: X-Forwarded-Uri header spoofing authentication bypass (Critical)
  • GHSA-pxq7-h93f-9jrg: Fragment evaluation in allowed routes (High)
  • GHSA-c5c4-8r6x-56w3: Email validation bypass via malformed multi-@ email claims (Moderate)
  • GHSA-f24x-5g9q-753f: Session fixation attack prevention
  • CVE-2026-32281
  • CVE-2026-32281
  • CVE-2026-32289
  • CVE-2026-32289
  • CVE-2026-32288
  • CVE-2026-32288
  • CVE-2026-32280
  • CVE-2026-32280
  • CVE-2026-32282
  • CVE-2026-32282
  • CVE-2026-32283
  • CVE-2026-32283
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track oauth2-proxy

Get notified when new releases ship.

Sign up free

About oauth2-proxy

A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers.

All releases →

Related context

Beta — feedback welcome: [email protected]