CVE-2026-40575

Name of the Vulnerable Software and Affected Versions OAuth2 Proxy versions prior to 7.15.2

Description A configuration-dependent authentication bypass occurs when OAuth2 Proxy is configured with --reverse-proxy and has at least one rule defined using --skip auth routes or --skip-auth-regex. In this state, the software may trust a client-supplied X-Forwarded-Uri header. An attacker can spoof this header to make OAuth2 Proxy evaluate authentication and skip-auth rules against a path different from the one sent to the upstream application, allowing an unauthenticated remote attacker to access protected routes without a valid session.

Recommendations Update to version 7.15.2 and configure the --trusted-proxy-ip flag to specify the IPs or CIDR ranges of reverse proxies allowed to send X-Forwarded-* headers. Strip any client-provided X-Forwarded-Uri header at the reverse proxy or load balancer level. Explicitly overwrite X-Forwarded-Uri with the actual request URI before forwarding requests to OAuth2 Proxy. Restrict direct client access to OAuth2 Proxy so it is only reachable through a trusted reverse proxy. Remove or narrow --skip-auth-route or --skip-auth-regex rules where possible.