External risk intelligence

OAuth2 Proxy allows unauthenticated access to protected routes

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-40575

OAuth2 Proxy can be tricked into letting attackers bypass authentication and access protected routes, which is a serious risk for any system relying on it for security.

5Halo Surface Signal

Oauth2 Proxy Project Oauth2 Proxy

7.5.0 to before 7.15.2

External exposure likelihood

Halo Surface Signal score for CVE-2026-40575

OAuth2 Proxy operates as an edge gateway and reverse proxy, typically positioned at the network perimeter to enforce authentication for web applications. Because its primary function is to manage traffic flow to downstream web services, it is frequently exposed to public internet traffic as part of a standard internet-facing deployment architecture.

PCI scan relevance

PCI Relevance for CVE-2026-40575

Yes

CVE-2026-40575 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows unauthenticated attackers to bypass access controls by exploiting a trusted header. This could lead to automatic failure in PCI scans due to authentication bypass.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Horizon Alert

Summary of the vulnerability and why it matters

OAuth2 Proxy may incorrectly trust a user-supplied header, allowing an attacker to bypass authentication. This means protected routes could be accessed without a valid session. This is a significant concern for deployments using this proxy for authentication.

  • Bypasses authentication checks.
  • Attackers can access protected routes.
  • Affects specific configurations.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can bypass authentication to protected routes. This is achieved by sending a specially crafted `X-Forwarded-Uri` header that tricks OAuth2 Proxy into evaluating skip-auth rules against an unintended path. This allows access to resources that should be protected, provided the proxy is configured with `--reverse-proxy` and either `--skip-auth-regex` or `--skip-auth-route`.

  • Requires `--reverse-proxy` enabled.
  • Targets authentication bypass.
  • Requires configured skip-auth rules.

Live Threat

Current exploitation, exposure, and threat context

Attackers may find this vulnerability appealing due to its direct impact on authentication bypass, allowing unauthenticated access to protected routes. Exploitation appears feasible by manipulating a specific HTTP header in carefully configured environments. While the vulnerability is critical, its weaponization is contingent on the specific deployment of OAuth2 Proxy with enabled `--reverse-proxy` and either `--skip-auth-regex` or `--skip-auth-route` configurations.

  • Exploitation depends on specific configurations.
  • Public exploit code is not yet observed.
  • Patch available in v7.15.2.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching OAuth2 Proxy to version 7.15.2 to address the critical authentication bypass vulnerability. If immediate patching is not feasible, implement header manipulation controls at your edge or load balancer to prevent spoofed `X-Forwarded-Uri` headers from reaching the proxy.

  • Apply patch v7.15.2.
  • Block client `X-Forwarded-Uri` headers.
  • Monitor for unauthenticated access attempts.

Frequently asked questions

What is the vulnerability in OAuth2 Proxy versions 7.5.0 through 7.15.1?

OAuth2 Proxy versions 7.5.0 through 7.15.1 may trust a client-supplied `X-Forwarded-Uri` header when specific configurations are enabled, potentially allowing an attacker to bypass authentication and access protected routes.

What type of weakness allows an attacker to bypass authentication in OAuth2 Proxy?

The vulnerability stems from a misconfiguration related to header handling, specifically the OAuth2 Proxy trusting a client-supplied `X-Forwarded-Uri` header, which falls under CWE-290, allowing authentication bypass.

How can an attacker exploit the OAuth2 Proxy vulnerability?

An attacker can exploit this by spoofing the `X-Forwarded-Uri` header. This manipulation causes OAuth2 Proxy to evaluate authentication and skip-auth rules against an incorrect path, enabling unauthenticated access to protected routes. This requires the `--reverse-proxy` option to be enabled, along with `--skip-auth-regex` or `--skip-auth-route` configurations.

How relevant is the OAuth2 Proxy vulnerability to internet-facing systems?

The vulnerability is highly relevant as OAuth2 Proxy often acts as an edge gateway, exposed to public internet traffic. Its function in enforcing authentication makes a bypass critical for systems relying on it. This is considered very likely to be a concern for internet-facing deployments.

What steps should be taken to mitigate the OAuth2 Proxy authentication bypass vulnerability?

The primary mitigation is to update OAuth2 Proxy to version 7.15.2. If an immediate upgrade is not possible, implement workarounds such as stripping client-provided `X-Forwarded-Uri` headers at the reverse proxy or load balancer, or explicitly overwriting the header with the actual request URI before forwarding to OAuth2 Proxy.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified