OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 may trust a client-supplied `X-Forwarded-Uri`…

OAuth2 Proxy versions 7.5.0 through 7.15.1 contain an authentication bypass vulnerability where attackers can spoof the X-Forwarded-Uri header when reverse-proxy and skip-auth configurations are enabled. This allows unauthenticated remote attackers to bypass authentication and access protected routes without valid sessions. The vulnerability affects deployments with --reverse-proxy enabled and at least one --skip-auth-regex or --skip-auth-route rule configured. The issue is patched in version 7.15.2, with several workarounds available for immediate mitigation.