OAuth2 Proxy Authentication Bypass via X-Forwarded-Uri Header Spoofing
OAuth2 Proxy is vulnerable to an authentication bypass when configured with `--reverse-proxy` and `--skip_auth_routes` or `--skip_auth_regex`; by spoofing the `X-Forwarded-Uri` header, an attacker can bypass authentication and access protected routes without a valid session.
OAuth2 Proxy versions before 7.15.2 are susceptible to an authentication bypass vulnerability (CVE-2026-40575) when configured with both the --reverse-proxy flag and either --skip_auth_routes or --skip_auth_regex. This configuration flaw allows an attacker to spoof the X-Forwarded-Uri header, tricking OAuth2 Proxy into evaluating authentication and skip-auth rules against an attacker-controlled path rather than the actual request URI. The vulnerability exists because OAuth2 Proxy trusts client-supplied X-Forwarded-Uri headers. Version 7.15.2 introduces the --trusted-proxy-ip flag to mitigate this issue by allowing administrators to specify trusted reverse proxy IPs. However, upgrading alone is insufficient; the --trusted-proxy-ip flag must be configured, and additional mitigation steps are recommended to properly secure deployments.
Attack Chain
- The attacker identifies an OAuth2 Proxy instance configured with
--reverse-proxyand--skip_auth_routes(or--skip_auth_regex). - The attacker crafts a malicious HTTP request targeting a protected route.
- The attacker adds an
X-Forwarded-Uriheader to the request, setting its value to a path configured in--skip_auth_routes. - The reverse proxy forwards the request, including the attacker-controlled
X-Forwarded-Uriheader, to the OAuth2 Proxy instance. - OAuth2 Proxy evaluates the
X-Forwarded-Uriheader against the--skip_auth_routesrules and incorrectly determines that authentication is not required. - OAuth2 Proxy forwards the request, now bypassing authentication, to the upstream application.
- The upstream application processes the request, granting the attacker unauthorized access to the protected resource.
- The attacker successfully accesses the protected route and performs unauthorized actions.
Impact
Successful exploitation of this vulnerability (CVE-2026-40575) allows unauthenticated remote attackers to bypass authentication and access protected routes without valid credentials. This could lead to complete compromise of the application behind the OAuth2 Proxy instance, including data theft, modification, or service disruption. The severity is critical as it directly undermines the authentication mechanism, potentially affecting any organization using OAuth2 Proxy with the vulnerable configuration. The number of affected organizations is currently unknown, but any deployment meeting the criteria is vulnerable.
Recommendation
- Upgrade OAuth2 Proxy to version 7.15.2 or later and configure the
--trusted-proxy-ipflag to explicitly define trusted reverse proxy IPs to mitigate CVE-2026-40575. - Implement reverse proxy or load balancer rules to strip or overwrite the
X-Forwarded-Uriheader from client requests, ensuring OAuth2 Proxy receives the correct request URI, as shown in the nginx example. - Restrict direct client access to OAuth2 Proxy, ensuring it can only be reached through a trusted reverse proxy to prevent attackers from directly injecting malicious headers.
- Review and narrow
--skip-auth-route/--skip-auth-regexrules where possible to minimize the attack surface and reduce the potential for authentication bypass.
Detection coverage 2
Detect X-Forwarded-Uri Header Present in Request to OAuth2 Proxy
mediumDetects requests to OAuth2 Proxy that contain the X-Forwarded-Uri header, which could indicate an attempt to exploit the authentication bypass vulnerability (CVE-2026-40575).
Detect Direct Client Access to OAuth2 Proxy
lowDetects connections to OAuth2 Proxy originating from outside the defined trusted proxy IP range.
Detection queries are available on the platform. Get full rules →