<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>OAuth2 Proxy - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/oauth2-proxy/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/oauth2-proxy/feed.xml" rel="self" type="application/rss+xml"/><item><title>OAuth2 Proxy Authentication Bypass Vulnerability (CVE-2026-41059)</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-oauth2-auth-bypass/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-oauth2-auth-bypass/</guid><description>OAuth2 Proxy versions 7.5.0 through 7.15.1 are vulnerable to an authentication bypass (CVE-2026-41059) due to improper handling of URL fragments in conjunction with `skip_auth_routes` or `skip_auth_regex`, potentially allowing unauthenticated access to protected resources.</description><content:encoded><![CDATA[<p>OAuth2 Proxy, a reverse proxy providing authentication using OAuth2 providers, is susceptible to an authentication bypass vulnerability (CVE-2026-41059) affecting versions 7.5.0 through 7.15.1. This vulnerability arises when specific configurations are in place: the use of <code>skip_auth_routes</code> or the legacy <code>skip_auth_regex</code> with patterns vulnerable to attacker-controlled suffix widening (e.g., <code>^/foo/.*/bar$</code>), and protected upstream applications that interpret <code>#</code> as a fragment delimiter.  An attacker can exploit this by crafting requests containing a number sign (<code>#</code> or its encoded form <code>%23</code>) to match public allowlist rules, while the backend inadvertently serves protected resources.  Organizations using OAuth2 Proxy within this vulnerable range should upgrade to version 7.15.2 or implement mitigations.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies an OAuth2 Proxy instance running a vulnerable version (7.5.0 - 7.15.1) and configuration, specifically utilizing <code>skip_auth_routes</code> or <code>skip_auth_regex</code> with overly permissive patterns.</li>
<li>The attacker crafts a malicious HTTP request targeting a protected resource, embedding a <code>#</code> or <code>%23</code> within the URI path. For example, a request to <code>/foo/secret%23bar</code>.</li>
<li>OAuth2 Proxy evaluates the request against the configured <code>skip_auth_routes</code> or <code>skip_auth_regex</code> rules.  The crafted path bypasses the authentication check because the initial segment matches the allowed pattern (e.g., <code>/foo/</code>).</li>
<li>OAuth2 Proxy forwards the request to the upstream application without authentication.</li>
<li>The upstream application receives the request. Due to the presence of <code>#</code> or <code>%23</code>, the application might interpret the URL differently, possibly ignoring the fragment and routing the request to the protected resource (e.g., <code>/foo/secret</code>).</li>
<li>The upstream application, believing the request is legitimate, processes the request and potentially returns sensitive data.</li>
<li>The attacker receives the unauthorized response from the upstream application, successfully bypassing authentication.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-41059 allows unauthenticated attackers to access protected resources and sensitive data behind OAuth2 Proxy. The impact is highly dependent on the nature of the protected resources, potentially leading to data breaches, unauthorized access to administrative interfaces, and other security compromises. The number of affected organizations is unknown but depends on the prevalence of vulnerable OAuth2 Proxy configurations.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade OAuth2 Proxy to version 7.15.2 or later to patch CVE-2026-41059.</li>
<li>Tighten or remove <code>skip_auth_routes</code> and <code>skip_auth_regex</code> rules, especially patterns that use broad wildcards across path segments, as mentioned in the advisory for CVE-2026-41059.</li>
<li>Implement ingress, load balancer, or WAF rules to reject requests whose path contains <code>%23</code> or <code>#</code>, as recommended in the CVE-2026-41059 advisory.</li>
<li>Deploy the Sigma rule &quot;OAuth2 Proxy Authentication Bypass Attempt via URL Fragment&quot; to detect exploitation attempts.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>oauth2proxy</category><category>authentication-bypass</category><category>cve</category></item><item><title>OAuth2 Proxy Authentication Bypass via X-Forwarded-Uri Spoofing</title><link>https://feed.craftedsignal.io/briefs/2024-01-oauth2-proxy-bypass/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-oauth2-proxy-bypass/</guid><description>OAuth2 Proxy versions 7.5.0 through 7.15.1 are vulnerable to an authentication bypass where attackers can spoof the `X-Forwarded-Uri` header when `--reverse-proxy` is enabled alongside `--skip-auth-regex` or `--skip-auth-route`, allowing unauthorized access to protected resources.</description><content:encoded><![CDATA[<p>OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A critical vulnerability, CVE-2026-40575, affects OAuth2 Proxy versions 7.5.0 through 7.15.1. Specifically, when OAuth2 Proxy is configured with the <code>--reverse-proxy</code> flag enabled, and also utilizes either <code>--skip-auth-regex</code> or <code>--skip-auth-route</code> for specifying paths that should bypass authentication, an attacker can manipulate the <code>X-Forwarded-Uri</code> HTTP header. This manipulation allows the attacker to spoof the URI used for authentication checks, potentially bypassing authentication and gaining unauthorized access to protected routes. The vulnerability impacts deployments that rely on client-supplied <code>X-Forwarded-Uri</code> headers and is patched in version 7.15.2. Defenders should prioritize upgrading to the patched version or implementing the recommended mitigations to prevent unauthorized access.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies an OAuth2 Proxy instance running a vulnerable version (7.5.0-7.15.1) with <code>--reverse-proxy</code> enabled and <code>--skip-auth-regex</code> or <code>--skip-auth-route</code> configured.</li>
<li>The attacker crafts a malicious HTTP request with a spoofed <code>X-Forwarded-Uri</code> header. The spoofed URI is chosen to match a <code>--skip-auth-regex</code> or <code>--skip-auth-route</code> rule.</li>
<li>The attacker sends the malicious request to the OAuth2 Proxy instance.</li>
<li>OAuth2 Proxy processes the request and evaluates the authentication and skip-auth rules against the spoofed URI from the <code>X-Forwarded-Uri</code> header.</li>
<li>Due to the spoofed URI matching a skip-auth rule, OAuth2 Proxy bypasses authentication for the request.</li>
<li>OAuth2 Proxy forwards the request to the upstream application, without proper authentication checks.</li>
<li>The upstream application processes the request, granting the attacker access to protected resources without valid credentials.</li>
<li>The attacker gains unauthorized access to sensitive data or functionality that should have been protected by authentication.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-40575 allows an unauthenticated remote attacker to bypass authentication and access protected routes without a valid session. This can lead to unauthorized access to sensitive data, modification of critical configurations, or execution of privileged operations within the targeted application. The impact is particularly severe for deployments that rely on OAuth2 Proxy for securing critical services and applications, potentially leading to significant data breaches and service disruptions. The exact number of potential victims is unknown but any deployment matching the vulnerable configuration is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade OAuth2 Proxy to version 7.15.2 to patch CVE-2026-40575.</li>
<li>Implement mitigations if immediate upgrade is not possible: strip client-provided <code>X-Forwarded-Uri</code> headers at the reverse proxy or load balancer level.</li>
<li>Explicitly overwrite <code>X-Forwarded-Uri</code> with the actual request URI before forwarding requests to OAuth2 Proxy as mentioned in the advisory.</li>
<li>Restrict direct client access to OAuth2 Proxy so it can only be reached through a trusted reverse proxy.</li>
<li>Deploy the Sigma rule <code>Detect Suspicious X-Forwarded-Uri Header</code> to monitor for potential exploitation attempts.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>oauth2-proxy</category><category>authentication-bypass</category><category>CVE-2026-40575</category><category>reverse-proxy</category></item></channel></rss>