OAuth2 Proxy, Authentication Bypass, CVE-2026-40575 (Critical)

By /

Listen to this Post

CVE-2026-40575 is a critical authentication bypass vulnerability affecting OAuth2 Proxy. The flaw exists in how the proxy handles the `X-Forwarded-Uri` header when configured in reverse proxy mode with `–skip_auth_routes` or `–skip-auth-regex` rules.
Under these specific configurations, OAuth2 Proxy may trust a client-supplied `X-Forwarded-Uri` header. By spoofing this header, an attacker can make the proxy evaluate its authentication and skip-auth rules against a different path than the one actually sent to the upstream application.
This allows an unauthenticated remote attacker to bypass authentication entirely and access protected routes without any valid session. The root cause is a lack of proper validation for the `X-Forwarded-Uri` header, which should only be trusted when it originates from a known, trusted reverse proxy.
The issue is fixed in version 7.15.2 with the of the `–trusted-proxy-ip` flag, which allows administrators to specify which IPs or CIDR ranges are allowed to send `X-Forwarded-` headers. However, if the flag is left unset, OAuth2 Proxy will still trust all source IPs (0.0.0.0/0) for backwards compatibility, meaning the vulnerability remains exploitable.

dailycve form:

Platform: OAuth2 Proxy
Version: Before 7.15.2
Vulnerability: Authentication Bypass
Severity: Critical
Date: 2026-04-15

Prediction: 2026-04-14

Analytics under heading What Undercode Say:

Check current OAuth2 Proxy version
oauth2-proxy --version
Test for vulnerability by sending a spoofed X-Forwarded-Uri header
curl -H "X-Forwarded-Uri: /public-path" http://target-oauth2-proxy:4180/protected-path
Example of vulnerable configuration (DO NOT USE)
./oauth2-proxy --reverse-proxy --skip-auth-regex="^/public/."
Check if --trusted-proxy-ip is configured
grep -r "trusted-proxy-ip" /etc/oauth2-proxy/
Mitigation: Overwrite header in nginx (recommended)
proxy_set_header X-Forwarded-Uri $request_uri;

Exploit:

An attacker can craft a request with a malicious `X-Forwarded-Uri` header pointing to a path that matches a `–skip_auth_routes` rule (e.g., `/health` or /public), while the actual request targets a protected endpoint. OAuth2 Proxy will evaluate the skip rule against the spoofed path, bypass authentication, and forward the request to the upstream application.

Protection from this CVE:

1. Upgrade to OAuth2 Proxy v7.15.2 or later.

  1. Configure `–trusted-proxy-ip` with the IPs/CIDR of your trusted reverse proxies.
  2. Strip any client-supplied `X-Forwarded-Uri` header at the reverse proxy level.
  3. Explicitly overwrite `X-Forwarded-Uri` with the actual request URI before forwarding to OAuth2 Proxy.
  4. Restrict direct client access to OAuth2 Proxy so it can only be reached through a trusted reverse proxy.

6. Remove or narrow `–skip-auth-route`/`–skip-auth-regex` rules where possible.

Impact:

Successful exploitation allows an unauthenticated remote attacker to bypass authentication and access any protected route, potentially leading to data breaches, privilege escalation, or complete compromise of the upstream application.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top