CVE-2026-40575
Published: 22 April 2026
Description
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 may trust a client-supplied `X-Forwarded-Uri` header when `--reverse-proxy` is enabled and `--skip-auth-regex` or `--skip-auth-route` is configured. An attacker can spoof this header so OAuth2…
more
Proxy evaluates authentication and skip-auth rules against a different path than the one actually sent to the upstream application. This can result in an unauthenticated remote attacker bypassing authentication and accessing protected routes without a valid session. Impacted users are deployments that run oauth2-proxy with `--reverse-proxy` enabled and configure at least one `--skip-auth-regex` or `--skip-auth-route` rule. This issue is patched in `v7.15.2`. Some workarounds are available for those who cannot upgrade immediately. Strip any client-provided `X-Forwarded-Uri` header at the reverse proxy or load balancer level; explicitly overwrite `X-Forwarded-Uri` with the actual request URI before forwarding requests to OAuth2 Proxy; restrict direct client access to OAuth2 Proxy so it can only be reached through a trusted reverse proxy; and/or remove or narrow `--skip-auth-regex` / `--skip-auth-route` rules where possible. For nginx-based deployments, ensure `X-Forwarded-Uri` is set by nginx and not passed through from the client.
Mitigating Controls (NIST 800-53 r5)AI
Remediates the specific flaw in OAuth2 Proxy versions 7.5.0-7.15.1 by applying patches in v7.15.2, preventing header spoofing that bypasses authentication.
Requires validation of client-supplied X-Forwarded-Uri headers at proxy entry points to block spoofing that tricks skip-auth rule evaluation.
Ensures secure configuration settings for reverse proxies to strip or overwrite untrusted X-Forwarded-Uri headers and narrow skip-auth rules.
Security SummaryAI
OAuth2 Proxy, a reverse proxy for OAuth2 provider authentication, contains a vulnerability in versions 7.5.0 through 7.15.1 (CVE-2026-40575, published April 22, 2026) where it trusts a client-supplied `X-Forwarded-Uri` header when the `--reverse-proxy` flag is enabled alongside `--skip-auth-regex` or `--skip-auth-route` configurations. This allows an attacker to spoof the header, causing OAuth2 Proxy to evaluate authentication and skip-auth rules against a manipulated path rather than the actual request path forwarded to the upstream application. The issue, rated CVSS 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and mapped to CWE-290, affects deployments using these specific flags.
An unauthenticated remote attacker can exploit this by sending a crafted `X-Forwarded-Uri` header in requests to OAuth2 Proxy, bypassing authentication checks and gaining unauthorized access to protected upstream routes without a valid session. Exploitation requires the targeted deployment to have `--reverse-proxy` enabled and at least one skip-auth rule configured, enabling the attacker to reach otherwise protected resources.
The vulnerability is patched in OAuth2 Proxy version 7.15.2. Advisories recommend upgrading immediately, with workarounds including stripping client-provided `X-Forwarded-Uri` headers at the reverse proxy or load balancer level, explicitly overwriting the header with the actual request URI before forwarding to OAuth2 Proxy, restricting direct client access to only trusted reverse proxies, and removing or narrowing skip-auth rules where feasible. For nginx deployments, ensure `X-Forwarded-Uri` is set by nginx rather than passed from the client. See the GitHub security advisory at https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-7x63-xv5r-3p2x for full details.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated remote attackers to bypass authentication checks in the public-facing OAuth2 Proxy by spoofing the X-Forwarded-Uri header, directly facilitating exploitation of a public-facing application.