CVE-2026-40575 Overview
CVE-2026-40575 is an authentication bypass vulnerability in OAuth2 Proxy, a reverse proxy that provides authentication using OAuth2 providers. When running with --reverse-proxy enabled and either --skip-auth-regex or --skip-auth-route configured, OAuth2 Proxy versions 7.5.0 through 7.15.1 may incorrectly trust a client-supplied X-Forwarded-Uri header. This allows attackers to spoof the header so OAuth2 Proxy evaluates authentication and skip-auth rules against a different path than the one actually sent to the upstream application, resulting in complete authentication bypass.
Critical Impact
Unauthenticated remote attackers can bypass authentication and access protected routes without a valid session, potentially gaining unauthorized access to sensitive resources and data.
Affected Products
- OAuth2 Proxy versions 7.5.0 through 7.15.1
- Deployments with --reverse-proxy enabled
- Configurations using --skip-auth-regex or --skip-auth-route rules
Discovery Timeline
- 2026-04-22 - CVE-2026-40575 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-40575
Vulnerability Analysis
This vulnerability is classified as CWE-290 (Authentication Bypass by Spoofing), which describes scenarios where an attacker can bypass authentication mechanisms by spoofing trusted identifiers or headers. The flaw exists in how OAuth2 Proxy processes incoming requests when operating behind a reverse proxy.
When --reverse-proxy mode is enabled, OAuth2 Proxy is designed to trust certain forwarded headers from upstream proxies, including X-Forwarded-Uri. The vulnerability arises because the proxy does not adequately validate the source of the X-Forwarded-Uri header, allowing malicious clients to inject arbitrary values that override the actual request path.
The attack becomes exploitable when administrators have configured --skip-auth-regex or --skip-auth-route rules to allow certain paths to bypass authentication. By spoofing the X-Forwarded-Uri header to match an allowed path while actually requesting a protected resource, attackers can circumvent authentication entirely.
Root Cause
The root cause of CVE-2026-40575 is insufficient validation of the X-Forwarded-Uri header origin. OAuth2 Proxy fails to distinguish between headers legitimately set by trusted reverse proxies and those maliciously injected by clients. When evaluating skip-auth rules, the proxy uses the potentially spoofed X-Forwarded-Uri value instead of the actual request URI, creating a path confusion vulnerability that enables authentication bypass.
Attack Vector
The attack exploits the trust relationship between OAuth2 Proxy and its expected reverse proxy infrastructure. An attacker can craft HTTP requests that include a spoofed X-Forwarded-Uri header matching a path configured in --skip-auth-regex or --skip-auth-route. When OAuth2 Proxy receives this request, it incorrectly evaluates the authentication rules against the spoofed path rather than the actual request path. The upstream application then receives the original request path, allowing the attacker to access protected resources without authentication.
For example, if /health is configured as a skip-auth path, an attacker could request /admin/sensitive-data while setting X-Forwarded-Uri: /health. OAuth2 Proxy would evaluate the request against /health, skip authentication, and forward the request to the upstream application which processes it as /admin/sensitive-data.
Detection Methods for CVE-2026-40575
Indicators of Compromise
- Unusual or unexpected X-Forwarded-Uri headers in access logs that don't match the actual request paths
- Access to protected endpoints without corresponding authentication events in OAuth2 Proxy logs
- Requests from external sources containing X-Forwarded-Uri headers when they should only come from trusted proxies
- Spike in access to sensitive routes without valid session cookies or tokens
Detection Strategies
- Implement log correlation between reverse proxy access logs and OAuth2 Proxy authentication logs to identify path mismatches
- Monitor for requests where the logged request path differs from the X-Forwarded-Uri header value
- Deploy Web Application Firewall (WAF) rules to flag or block requests with unexpected X-Forwarded-Uri headers from untrusted sources
- Review access logs for patterns showing protected resource access without corresponding authentication flows
Monitoring Recommendations
- Enable verbose logging on OAuth2 Proxy to capture all header information for incoming requests
- Configure alerting for authentication bypass attempts or anomalous access patterns to protected routes
- Implement network-level monitoring to detect direct client connections to OAuth2 Proxy that bypass trusted reverse proxies
- Establish baseline metrics for authentication success/failure ratios to detect sudden changes indicating exploitation
How to Mitigate CVE-2026-40575
Immediate Actions Required
- Upgrade OAuth2 Proxy to version v7.15.2 or later immediately
- Audit current configurations for --skip-auth-regex and --skip-auth-route rules and remove or narrow them where possible
- Verify that OAuth2 Proxy is only accessible through trusted reverse proxy infrastructure
- Review access logs for signs of exploitation prior to patching
Patch Information
OAuth2 Proxy version v7.15.2 addresses this vulnerability by properly validating the source and handling of the X-Forwarded-Uri header. Organizations should upgrade to this version as the primary remediation. For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Strip any client-provided X-Forwarded-Uri header at the reverse proxy or load balancer level before requests reach OAuth2 Proxy
- Explicitly overwrite X-Forwarded-Uri with the actual request URI at the reverse proxy before forwarding requests
- Restrict direct client access to OAuth2 Proxy so it can only be reached through a trusted reverse proxy
- Remove or significantly narrow --skip-auth-regex and --skip-auth-route rules to minimize attack surface
# nginx configuration to sanitize X-Forwarded-Uri header
# Ensure X-Forwarded-Uri is set by nginx and not passed through from the client
location / {
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_pass http://oauth2-proxy:4180;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
