CVE-2026-40575

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 may trust a client-supplied X-Forwarded-Uri header when --reverse-proxy is enabled and --skip-auth-regex or --skip-auth-route is configured. An attacker can spoof this header so OAuth2 Proxy evaluates authentication and skip-auth rules against a different path than the one actually sent to the upstream application. This can result in an unauthenticated remote attacker bypassing authentication and accessing protected routes without a valid session. Impacted users are deployments that run oauth2-proxy with --reverse-proxy enabled and configure at least one --skip-auth-regex or --skip-auth-route rule. This issue is patched in v7.15.2. Some workarounds are available for those who cannot upgrade immediately. Strip any client-provided X-Forwarded-Uri header at the reverse proxy or load balancer level; explicitly overwrite X-Forwarded-Uri with the actual request URI before forwarding requests to OAuth2 Proxy; restrict direct client access to OAuth2 Proxy so it can only be reached through a trusted reverse proxy; and/or remove or narrow --skip-auth-regex / --skip-auth-route rules where possible. For nginx-based deployments, ensure X-Forwarded-Uri is set by nginx and not passed through from the client.