Description
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 may trust a client-supplied `X-Forwarded-Uri` header when `--reverse-proxy` is enabled and `--skip-auth-regex` or `--skip-auth-route` is configured. An attacker can spoof this header so OAuth2 Proxy evaluates authentication and skip-auth rules against a different path than the one actually sent to the upstream application. This can result in an unauthenticated remote attacker bypassing authentication and accessing protected routes without a valid session. Impacted users are deployments that run oauth2-proxy with `--reverse-proxy` enabled and configure at least one `--skip-auth-regex` or `--skip-auth-route` rule. This issue is patched in `v7.15.2`. Some workarounds are available for those who cannot upgrade immediately. Strip any client-provided `X-Forwarded-Uri` header at the reverse proxy or load balancer level; explicitly overwrite `X-Forwarded-Uri` with the actual request URI before forwarding requests to OAuth2 Proxy; restrict direct client access to OAuth2 Proxy so it can only be reached through a trusted reverse proxy; and/or remove or narrow `--skip-auth-regex` / `--skip-auth-route` rules where possible. For nginx-based deployments, ensure `X-Forwarded-Uri` is set by nginx and not passed through from the client.
Published: 2026-04-21
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

OAuth2 Proxy may accept a client‑supplied X-Forwarded-Uri header when reverse proxy mode is enabled and skip‑auth rules are active. An attacker can spoof this header so OAuth2 Proxy evaluates authentication and skip‑auth logic against a different path than the one actually sent to the upstream application, resulting in an unauthenticated remote attacker bypassing authentication and accessing protected routes without a valid session.

Affected Systems

Versions 7.5.0 through 7.15.1 of the oauth2‑proxy project that run with the --reverse-proxy flag and define at least one --skip-auth-regex or --skip-auth-route rule are affected. Deployments using these settings are at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.1, indicating a high severity authentication bypass. No EPSS score is currently available, but the absence of a KEV listing does not reduce the risk; attackers who can reach the proxy instance can send crafted HTTP requests to manipulate the X-Forwarded-Uri header, escalating privilege and accessing restricted content. Exploitation requires only the ability to send requests to OAuth2 Proxy, which is common in web‑based deployments.

Generated by OpenCVE AI on April 22, 2026 at 06:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the available patch to upgrade to oauth2‑proxy v7.15.2 or later.
  • Configure the reverse proxy or load balancer so that it does not forward client‑supplied X-Forwarded-Uri headers; instead, overwrite the header with the actual request URI before forwarding to OAuth2 Proxy.
  • Remove or narrow any --skip-auth-regex or --skip-auth-route rules so that they match only the intended exempt paths.
  • Restrict direct client access to the OAuth2 Proxy so that it is only reachable through a trusted reverse proxy in the infrastructure.

Generated by OpenCVE AI on April 22, 2026 at 06:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7x63-xv5r-3p2x OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing
History

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Oauth2 Proxy Project
Oauth2 Proxy Project oauth2 Proxy
Vendors & Products Oauth2 Proxy Project
Oauth2 Proxy Project oauth2 Proxy

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 may trust a client-supplied `X-Forwarded-Uri` header when `--reverse-proxy` is enabled and `--skip-auth-regex` or `--skip-auth-route` is configured. An attacker can spoof this header so OAuth2 Proxy evaluates authentication and skip-auth rules against a different path than the one actually sent to the upstream application. This can result in an unauthenticated remote attacker bypassing authentication and accessing protected routes without a valid session. Impacted users are deployments that run oauth2-proxy with `--reverse-proxy` enabled and configure at least one `--skip-auth-regex` or `--skip-auth-route` rule. This issue is patched in `v7.15.2`. Some workarounds are available for those who cannot upgrade immediately. Strip any client-provided `X-Forwarded-Uri` header at the reverse proxy or load balancer level; explicitly overwrite `X-Forwarded-Uri` with the actual request URI before forwarding requests to OAuth2 Proxy; restrict direct client access to OAuth2 Proxy so it can only be reached through a trusted reverse proxy; and/or remove or narrow `--skip-auth-regex` / `--skip-auth-route` rules where possible. For nginx-based deployments, ensure `X-Forwarded-Uri` is set by nginx and not passed through from the client.
Title OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing
Weaknesses CWE-290
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Oauth2 Proxy Project Oauth2 Proxy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T14:15:41.802Z

Reserved: 2026-04-14T13:24:29.475Z

Link: CVE-2026-40575

cve-icon Vulnrichment

Updated: 2026-04-22T14:15:37.496Z

cve-icon NVD

Status : Received

Published: 2026-04-22T00:16:27.817

Modified: 2026-04-22T00:16:27.817

Link: CVE-2026-40575

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:30:15Z

Weaknesses