{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/oauth2-proxy/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OAuth2 Proxy"],"_cs_severities":["critical"],"_cs_tags":["oauth2-proxy","authentication-bypass","reverse-proxy","header-spoofing"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOAuth2 Proxy versions before 7.15.2 are susceptible to an authentication bypass vulnerability (CVE-2026-40575) when configured with both the \u003ccode\u003e--reverse-proxy\u003c/code\u003e flag and either \u003ccode\u003e--skip_auth_routes\u003c/code\u003e or \u003ccode\u003e--skip_auth_regex\u003c/code\u003e. This configuration flaw allows an attacker to spoof the \u003ccode\u003eX-Forwarded-Uri\u003c/code\u003e header, tricking OAuth2 Proxy into evaluating authentication and skip-auth rules against an attacker-controlled path rather than the actual request URI. The vulnerability exists because OAuth2 Proxy trusts client-supplied \u003ccode\u003eX-Forwarded-Uri\u003c/code\u003e headers. Version 7.15.2 introduces the \u003ccode\u003e--trusted-proxy-ip\u003c/code\u003e flag to mitigate this issue by allowing administrators to specify trusted reverse proxy IPs. However, upgrading alone is insufficient; the \u003ccode\u003e--trusted-proxy-ip\u003c/code\u003e flag must be configured, and additional mitigation steps are recommended to properly secure deployments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an OAuth2 Proxy instance configured with \u003ccode\u003e--reverse-proxy\u003c/code\u003e and \u003ccode\u003e--skip_auth_routes\u003c/code\u003e (or \u003ccode\u003e--skip_auth_regex\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting a protected route.\u003c/li\u003e\n\u003cli\u003eThe attacker adds an \u003ccode\u003eX-Forwarded-Uri\u003c/code\u003e header to the request, setting its value to a path configured in \u003ccode\u003e--skip_auth_routes\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe reverse proxy forwards the request, including the attacker-controlled \u003ccode\u003eX-Forwarded-Uri\u003c/code\u003e header, to the OAuth2 Proxy instance.\u003c/li\u003e\n\u003cli\u003eOAuth2 Proxy evaluates the \u003ccode\u003eX-Forwarded-Uri\u003c/code\u003e header against the \u003ccode\u003e--skip_auth_routes\u003c/code\u003e rules and incorrectly determines that authentication is not required.\u003c/li\u003e\n\u003cli\u003eOAuth2 Proxy forwards the request, now bypassing authentication, to the upstream application.\u003c/li\u003e\n\u003cli\u003eThe upstream application processes the request, granting the attacker unauthorized access to the protected resource.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully accesses the protected route and performs unauthorized actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-40575) allows unauthenticated remote attackers to bypass authentication and access protected routes without valid credentials. This could lead to complete compromise of the application behind the OAuth2 Proxy instance, including data theft, modification, or service disruption. The severity is critical as it directly undermines the authentication mechanism, potentially affecting any organization using OAuth2 Proxy with the vulnerable configuration. The number of affected organizations is currently unknown, but any deployment meeting the criteria is vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OAuth2 Proxy to version 7.15.2 or later and configure the \u003ccode\u003e--trusted-proxy-ip\u003c/code\u003e flag to explicitly define trusted reverse proxy IPs to mitigate CVE-2026-40575.\u003c/li\u003e\n\u003cli\u003eImplement reverse proxy or load balancer rules to strip or overwrite the \u003ccode\u003eX-Forwarded-Uri\u003c/code\u003e header from client requests, ensuring OAuth2 Proxy receives the correct request URI, as shown in the nginx example.\u003c/li\u003e\n\u003cli\u003eRestrict direct client access to OAuth2 Proxy, ensuring it can only be reached through a trusted reverse proxy to prevent attackers from directly injecting malicious headers.\u003c/li\u003e\n\u003cli\u003eReview and narrow \u003ccode\u003e--skip-auth-route\u003c/code\u003e / \u003ccode\u003e--skip-auth-regex\u003c/code\u003e rules where possible to minimize the attack surface and reduce the potential for authentication bypass.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-29-oauth2-proxy-auth-bypass/","summary":"OAuth2 Proxy is vulnerable to an authentication bypass when configured with `--reverse-proxy` and `--skip_auth_routes` or `--skip_auth_regex`; by spoofing the `X-Forwarded-Uri` header, an attacker can bypass authentication and access protected routes without a valid session.","title":"OAuth2 Proxy Authentication Bypass via X-Forwarded-Uri Header Spoofing","url":"https://feed.craftedsignal.io/briefs/2024-01-29-oauth2-proxy-auth-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-41059"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OAuth2 Proxy"],"_cs_severities":["high"],"_cs_tags":["oauth2proxy","authentication-bypass","cve"],"_cs_type":"advisory","_cs_vendors":["OAuth2 Proxy"],"content_html":"\u003cp\u003eOAuth2 Proxy, a reverse proxy providing authentication using OAuth2 providers, is susceptible to an authentication bypass vulnerability (CVE-2026-41059) affecting versions 7.5.0 through 7.15.1. This vulnerability arises when specific configurations are in place: the use of \u003ccode\u003eskip_auth_routes\u003c/code\u003e or the legacy \u003ccode\u003eskip_auth_regex\u003c/code\u003e with patterns vulnerable to attacker-controlled suffix widening (e.g., \u003ccode\u003e^/foo/.*/bar$\u003c/code\u003e), and protected upstream applications that interpret \u003ccode\u003e#\u003c/code\u003e as a fragment delimiter.  An attacker can exploit this by crafting requests containing a number sign (\u003ccode\u003e#\u003c/code\u003e or its encoded form \u003ccode\u003e%23\u003c/code\u003e) to match public allowlist rules, while the backend inadvertently serves protected resources.  Organizations using OAuth2 Proxy within this vulnerable range should upgrade to version 7.15.2 or implement mitigations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an OAuth2 Proxy instance running a vulnerable version (7.5.0 - 7.15.1) and configuration, specifically utilizing \u003ccode\u003eskip_auth_routes\u003c/code\u003e or \u003ccode\u003eskip_auth_regex\u003c/code\u003e with overly permissive patterns.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting a protected resource, embedding a \u003ccode\u003e#\u003c/code\u003e or \u003ccode\u003e%23\u003c/code\u003e within the URI path. For example, a request to \u003ccode\u003e/foo/secret%23bar\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eOAuth2 Proxy evaluates the request against the configured \u003ccode\u003eskip_auth_routes\u003c/code\u003e or \u003ccode\u003eskip_auth_regex\u003c/code\u003e rules.  The crafted path bypasses the authentication check because the initial segment matches the allowed pattern (e.g., \u003ccode\u003e/foo/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eOAuth2 Proxy forwards the request to the upstream application without authentication.\u003c/li\u003e\n\u003cli\u003eThe upstream application receives the request. Due to the presence of \u003ccode\u003e#\u003c/code\u003e or \u003ccode\u003e%23\u003c/code\u003e, the application might interpret the URL differently, possibly ignoring the fragment and routing the request to the protected resource (e.g., \u003ccode\u003e/foo/secret\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe upstream application, believing the request is legitimate, processes the request and potentially returns sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the unauthorized response from the upstream application, successfully bypassing authentication.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41059 allows unauthenticated attackers to access protected resources and sensitive data behind OAuth2 Proxy. The impact is highly dependent on the nature of the protected resources, potentially leading to data breaches, unauthorized access to administrative interfaces, and other security compromises. The number of affected organizations is unknown but depends on the prevalence of vulnerable OAuth2 Proxy configurations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OAuth2 Proxy to version 7.15.2 or later to patch CVE-2026-41059.\u003c/li\u003e\n\u003cli\u003eTighten or remove \u003ccode\u003eskip_auth_routes\u003c/code\u003e and \u003ccode\u003eskip_auth_regex\u003c/code\u003e rules, especially patterns that use broad wildcards across path segments, as mentioned in the advisory for CVE-2026-41059.\u003c/li\u003e\n\u003cli\u003eImplement ingress, load balancer, or WAF rules to reject requests whose path contains \u003ccode\u003e%23\u003c/code\u003e or \u003ccode\u003e#\u003c/code\u003e, as recommended in the CVE-2026-41059 advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;OAuth2 Proxy Authentication Bypass Attempt via URL Fragment\u0026quot; to detect exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-oauth2-auth-bypass/","summary":"OAuth2 Proxy versions 7.5.0 through 7.15.1 are vulnerable to an authentication bypass (CVE-2026-41059) due to improper handling of URL fragments in conjunction with `skip_auth_routes` or `skip_auth_regex`, potentially allowing unauthenticated access to protected resources.","title":"OAuth2 Proxy Authentication Bypass Vulnerability (CVE-2026-41059)","url":"https://feed.craftedsignal.io/briefs/2024-01-09-oauth2-auth-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-40575"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OAuth2 Proxy"],"_cs_severities":["critical"],"_cs_tags":["oauth2-proxy","authentication-bypass","CVE-2026-40575","reverse-proxy"],"_cs_type":"advisory","_cs_vendors":["OAuth2 Proxy"],"content_html":"\u003cp\u003eOAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A critical vulnerability, CVE-2026-40575, affects OAuth2 Proxy versions 7.5.0 through 7.15.1. Specifically, when OAuth2 Proxy is configured with the \u003ccode\u003e--reverse-proxy\u003c/code\u003e flag enabled, and also utilizes either \u003ccode\u003e--skip-auth-regex\u003c/code\u003e or \u003ccode\u003e--skip-auth-route\u003c/code\u003e for specifying paths that should bypass authentication, an attacker can manipulate the \u003ccode\u003eX-Forwarded-Uri\u003c/code\u003e HTTP header. This manipulation allows the attacker to spoof the URI used for authentication checks, potentially bypassing authentication and gaining unauthorized access to protected routes. The vulnerability impacts deployments that rely on client-supplied \u003ccode\u003eX-Forwarded-Uri\u003c/code\u003e headers and is patched in version 7.15.2. Defenders should prioritize upgrading to the patched version or implementing the recommended mitigations to prevent unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an OAuth2 Proxy instance running a vulnerable version (7.5.0-7.15.1) with \u003ccode\u003e--reverse-proxy\u003c/code\u003e enabled and \u003ccode\u003e--skip-auth-regex\u003c/code\u003e or \u003ccode\u003e--skip-auth-route\u003c/code\u003e configured.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request with a spoofed \u003ccode\u003eX-Forwarded-Uri\u003c/code\u003e header. The spoofed URI is chosen to match a \u003ccode\u003e--skip-auth-regex\u003c/code\u003e or \u003ccode\u003e--skip-auth-route\u003c/code\u003e rule.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious request to the OAuth2 Proxy instance.\u003c/li\u003e\n\u003cli\u003eOAuth2 Proxy processes the request and evaluates the authentication and skip-auth rules against the spoofed URI from the \u003ccode\u003eX-Forwarded-Uri\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eDue to the spoofed URI matching a skip-auth rule, OAuth2 Proxy bypasses authentication for the request.\u003c/li\u003e\n\u003cli\u003eOAuth2 Proxy forwards the request to the upstream application, without proper authentication checks.\u003c/li\u003e\n\u003cli\u003eThe upstream application processes the request, granting the attacker access to protected resources without valid credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data or functionality that should have been protected by authentication.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40575 allows an unauthenticated remote attacker to bypass authentication and access protected routes without a valid session. This can lead to unauthorized access to sensitive data, modification of critical configurations, or execution of privileged operations within the targeted application. The impact is particularly severe for deployments that rely on OAuth2 Proxy for securing critical services and applications, potentially leading to significant data breaches and service disruptions. The exact number of potential victims is unknown but any deployment matching the vulnerable configuration is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade OAuth2 Proxy to version 7.15.2 to patch CVE-2026-40575.\u003c/li\u003e\n\u003cli\u003eImplement mitigations if immediate upgrade is not possible: strip client-provided \u003ccode\u003eX-Forwarded-Uri\u003c/code\u003e headers at the reverse proxy or load balancer level.\u003c/li\u003e\n\u003cli\u003eExplicitly overwrite \u003ccode\u003eX-Forwarded-Uri\u003c/code\u003e with the actual request URI before forwarding requests to OAuth2 Proxy as mentioned in the advisory.\u003c/li\u003e\n\u003cli\u003eRestrict direct client access to OAuth2 Proxy so it can only be reached through a trusted reverse proxy.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious X-Forwarded-Uri Header\u003c/code\u003e to monitor for potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-oauth2-proxy-bypass/","summary":"OAuth2 Proxy versions 7.5.0 through 7.15.1 are vulnerable to an authentication bypass where attackers can spoof the `X-Forwarded-Uri` header when `--reverse-proxy` is enabled alongside `--skip-auth-regex` or `--skip-auth-route`, allowing unauthorized access to protected resources.","title":"OAuth2 Proxy Authentication Bypass via X-Forwarded-Uri Spoofing","url":"https://feed.craftedsignal.io/briefs/2024-01-oauth2-proxy-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - OAuth2 Proxy","version":"https://jsonfeed.org/version/1.1"}