top of page
perceptive_background_267k.jpg

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 may trust a client-supplied `X-Forwarded-Uri`…

Published:

21 April 2026 at 22:00:00

Alert date:

22 April 2026 at 22:11:22

Source:

nvd.nist.gov

Click to open the original link from this advisory

Identity & Access, Web Technologies

OAuth2 Proxy versions 7.5.0 through 7.15.1 contain an authentication bypass vulnerability where attackers can spoof the X-Forwarded-Uri header when reverse-proxy and skip-auth configurations are enabled. This allows unauthenticated remote attackers to bypass authentication and access protected routes without valid sessions. The vulnerability affects deployments with --reverse-proxy enabled and at least one --skip-auth-regex or --skip-auth-route rule configured. The issue is patched in version 7.15.2, with several workarounds available for immediate mitigation.

Technical details

Mitigation steps:

Affected products:

OAuth2 Proxy

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-40575
https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-7x63-xv5r-3p2x

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page