Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-40575

OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing
Back to all
CVE

CVE-2026-40575

OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing

Impact

A configuration-dependent authentication bypass exists in OAuth2 Proxy.

Deployments are affected when all of the following are true:

  • OAuth2 Proxy is configured with --reverse-proxy
  • and at least one rule is defined with --skipauthroutes or the legacy --skip-auth-regex

OAuth2 Proxy may trust a client-supplied X-Forwarded-Uri header when --reverse-proxy is enabled and --skip-auth-route or --skip-auth-regex is configured. An attacker can spoof this header so OAuth2 Proxy evaluates authentication and skip-auth rules against a different path than the one actually sent to the upstream application.

This can result in an unauthenticated remote attacker bypassing authentication and accessing protected routes without a valid session.

Patches

This issue is addressed as part of the newly introduced --trusted-proxy-ip flag in v7.15.2. If you leave it unset, OAuth2 Proxy will continue to trust ALL source IPs (0.0.0.0/0) for backwards compatibility, which means a client may still be able to spoof forwarded headers. Therefore after upgrading we urge you to use the new --trusted-proxy-ip flag to set the IPs or CIDR ranges of the reverse proxies that are allowed to send X-Forwarded-* headers and furthermore implement the mitigation steps outlined below to properly configure your load balancer infrastructure.

Mitigation

  • Strip any client-provided X-Forwarded-Uri header at the reverse proxy or load balancer level
  • Explicitly overwrite X-Forwarded-Uri with the actual request URI before forwarding requests to OAuth2 Proxy

  Example nginx mitigation for the auth subrequest:

  ```

    location /internal-auth/ {

      internal; # Ensure external users can't access this path

  

      # Make sure the OAuth2 Proxy knows where the original request came from.

      proxysetheader Host       $host;

      proxysetheader X-Real-IP  $remote_addr;

      # set the value to the actual $request_uri and therefore strip any user provided X-Forwarded-Uri

      proxysetheader X-Forwarded-Uri $request_uri;

  

      proxy_pass http://oauth2-proxy:4180/;

    }

  ```

  • Restrict direct client access to OAuth2 Proxy so it can only be reached through a trusted reverse proxy
  • Remove or narrow --skip-auth-route / --skip-auth-regex rules where possible

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
C
H
U
-

Related Resources

No items found.

References

https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-7x63-xv5r-3p2x, https://github.com/oauth2-proxy/oauth2-proxy

Severity

9.1

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
9.1
EPSS Probability
0%
EPSS Percentile
0%
Introduced Version
7.5.0
Fix Available
7.15.2

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading