OAuth2 Proxy Auth Bypass Lets Attackers Access Protected Routes

A critical authentication bypass vulnerability in OAuth2 Proxy could let unauthenticated remote attackers access protected routes by spoofing a single HTTP header. The flaw, tracked as CVE-2026-40575, carries a CVSS score of 9.1 and affects versions 7.5.0 through 7.15.1.

OAuth2 Proxy is widely deployed as a reverse proxy that provides authentication using OAuth2 providers like Google, GitHub, and Azure AD. Organizations use it to protect internal applications without modifying application code. This makes the vulnerability particularly dangerous—a single misconfiguration could expose any application sitting behind the proxy.

How the Attack Works

The vulnerability exists in how OAuth2 Proxy handles the X-Forwarded-Uri header when running in reverse proxy mode. When both --reverse-proxy is enabled and --skip-auth-route or --skip-auth-regex is configured, the proxy trusts the client-supplied header without validation.

An attacker can exploit this by sending a request with a spoofed X-Forwarded-Uri header pointing to a path that matches a skip-auth rule. The proxy evaluates authentication against the spoofed path while forwarding the actual request to the upstream application. The result: complete authentication bypass.

Consider an organization that configured --skip-auth-route=/health to allow monitoring systems to check application health without authentication. An attacker could send a request to /admin/users with X-Forwarded-Uri: /health, and the proxy would skip authentication entirely while forwarding the /admin/users request upstream.

Who's Affected

Any deployment running OAuth2 Proxy versions 7.5.0 through 7.15.1 with both conditions met:

• --reverse-proxy flag enabled (common in production deployments)
• --skip-auth-route or --skip-auth-regex configured

Organizations using OAuth2 Proxy behind a load balancer or reverse proxy that doesn't strip client-provided forwarded headers are most at risk. The vulnerability requires no authentication and can be exploited remotely.

Patch and Workarounds

The maintainers released version 7.15.2 to address the vulnerability. Organizations should upgrade immediately. This follows a pattern we've seen with other authentication bypass flaws in proxy software—similar header-based attacks affected Nginx UI earlier this month.

If immediate patching isn't possible, Belgium's CCB advisory recommends several workarounds:

1. Strip forwarded headers at the edge - Configure your load balancer or reverse proxy to remove any client-provided X-Forwarded-Uri headers before they reach OAuth2 Proxy
2. Overwrite the header - Explicitly set X-Forwarded-Uri to the actual request URI at the reverse proxy level
3. Restrict direct access - Ensure OAuth2 Proxy can only be reached through your trusted reverse proxy, not directly from clients
4. Narrow skip-auth rules - Remove or restrict --skip-auth-route and --skip-auth-regex configurations where possible

Why This Matters

OAuth2 Proxy protects thousands of internal applications across enterprises, startups, and cloud deployments. The project has over 8,000 stars on GitHub and appears in countless Kubernetes deployments as a sidecar authentication proxy.

Header-based authentication bypasses are increasingly common. Attackers know that many organizations configure authentication at the proxy level while leaving backend applications unprotected. When that proxy layer fails, everything behind it becomes accessible. We've covered similar proxy-level authentication issues in FortiGate appliances that attackers exploited within days of disclosure.

Organizations should audit their OAuth2 Proxy configurations immediately, particularly looking for deployments where skip-auth rules might expose sensitive routes. The fix is straightforward, but the window for exploitation is open until patches are applied.