Critical OAuth2 Proxy Auth Bypass: CVE-2026-40575

A critical authentication bypass vulnerability, CVE-2026-40575, has been identified in OAuth2 Proxy versions 7.5.0 through 7.15.1. The National Vulnerability Database reports that when --reverse-proxy is enabled and --skip-auth-regex or --skip-auth-route rules are configured, OAuth2 Proxy can be tricked by a spoofed X-Forwarded-Uri header. This allows an attacker to manipulate how authentication rules are evaluated, effectively bypassing security controls and accessing protected routes without a valid session.

The attacker’s calculus here is straightforward: exploit trust boundaries. By manipulating a commonly used HTTP header, they can force the proxy to misinterpret the intended destination, leading to unauthenticated access. This isn’t theoretical; it’s a direct path to sensitive internal applications if not mitigated. The CVSS score of 9.1 underscores the severity, indicating network exploitability with high impact on confidentiality and integrity.

Defenders need to act. The fix, available in v7.15.2, should be prioritized. For those unable to upgrade immediately, the National Vulnerability Database suggests several workarounds: strip X-Forwarded-Uri headers at the load balancer, explicitly overwrite X-Forwarded-Uri before forwarding to OAuth2 Proxy, restrict direct client access to OAuth2 Proxy, or review and narrow --skip-auth-regex/--skip-auth-route rules. For Nginx users, ensure X-Forwarded-Uri is set by Nginx itself and not passed from the client.