Vendor ID Description CVE Type Date OAuth2 Proxy HTAI-008 When oauth2-proxy is used in auth_request integrations with --ping-user-agent or --gcp-healthchecks enabled, any request bearing the configured health check User-Agent bypasses authentication regardless of the requested path.↗ CVE-2026-34457 Auth Bypass Apr 14, 2026 OAuth2 Proxy HTAI-007 When oauth2-proxy is configured with --reverse-proxy and skip_auth_routes, it may trust a client-supplied X-Forwarded-Uri header, allowing an unauthenticated attacker to spoof the header and bypass authentication on protected routes.↗ CVE-2026-40575 Auth Bypass Apr 14, 2026 OAuth2 Proxy HTAI-006 A configuration-dependent authentication bypass in oauth2-proxy where an attacker can use a # fragment in the request path to widen skip_auth_routes or skip_auth_regex patterns, causing oauth2-proxy to match a public allowlist rule while the backend routes to a protected resource.↗ CVE-2026-41059 Auth Bypass Apr 14, 2026 JetBrains HTAI-005 A sandbox bypass vulnerability in YouTrack allows an attacker with administrator-level permissions to execute arbitrary code. On YouTrack Cloud, this could bypass cross-tenant isolation boundaries for tenants sharing the same hardware.↗ CVE-2026-33392 RCE Apr 9, 2026 JetBrains HTAI-004 Pending disclosure↗ Reserved RCE Mar 14, 2026 OpenAM HTAI-003 Pre-Authentication Remote Code Execution via jato.clientSession Deserialization in OpenAM.↗ CVE-2026-33439 RCE Mar 20, 2026 Metabase HTAI-002 Authenticated users on Metabase Enterprise Edition can achieve Remote Code Execution (RCE) and Arbitrary File Read through the EE Serialization Import endpoint.↗ CVE-2026-33725 RCE Mar 20, 2026 BeyondTrust HTAI-001 Pre-Authentication Remote Code Execution via deserialization vulnerability in BeyondTrust Remote Support and Privileged Remote Access (PRA) products.↗ CVE-2026-1731 RCE Feb 6, 2026
j k navigateenter open/ searchesc close
OAuth2 Proxy Auth Bypass
When oauth2-proxy is used in auth_request integrations with --ping-user-agent or --gcp-healthchecks enabled, any request bearing the configured health check User-Agent bypasses authentication regardless of the requested path.
HTAI-008 CVE-2026-34457 Apr 14, 2026
OAuth2 Proxy Auth Bypass
When oauth2-proxy is configured with --reverse-proxy and skip_auth_routes, it may trust a client-supplied X-Forwarded-Uri header, allowing an unauthenticated attacker to spoof the header and bypass authentication on protected routes.
HTAI-007 CVE-2026-40575 Apr 14, 2026
OAuth2 Proxy Auth Bypass
A configuration-dependent authentication bypass in oauth2-proxy where an attacker can use a # fragment in the request path to widen skip_auth_routes or skip_auth_regex patterns, causing oauth2-proxy to match a public allowlist rule while the backend routes to a protected resource.
HTAI-006 CVE-2026-41059 Apr 14, 2026
JetBrains RCE
A sandbox bypass vulnerability in YouTrack allows an attacker with administrator-level permissions to execute arbitrary code. On YouTrack Cloud, this could bypass cross-tenant isolation boundaries for tenants sharing the same hardware.
HTAI-005 CVE-2026-33392 Apr 9, 2026
JetBrains RCE
Pending disclosure
HTAI-004 Reserved Mar 14, 2026
OpenAM RCE
Pre-Authentication Remote Code Execution via jato.clientSession Deserialization in OpenAM.
HTAI-003 CVE-2026-33439 Mar 20, 2026
Metabase RCE
Authenticated users on Metabase Enterprise Edition can achieve Remote Code Execution (RCE) and Arbitrary File Read through the EE Serialization Import endpoint.
HTAI-002 CVE-2026-33725 Mar 20, 2026
BeyondTrust RCE
Pre-Authentication Remote Code Execution via deserialization vulnerability in BeyondTrust Remote Support and Privileged Remote Access (PRA) products.
HTAI-001 CVE-2026-1731 Feb 6, 2026
