CRITICAL: CVE-2026-40575 (CVSS 9.1) — oauth2 proxy project oauth2 proxy

CVE: CVE-2026-40575

CVSS: 9.1 (3.1) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Severity: CRITICAL

Status: Critical advisory

Affected

oauth2 proxy project oauth2 proxy

Summary

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 may trust a client-supplied X-Forwarded-Uri header when --reverse-proxy is enabled and --skip-auth-regex or --skip-auth-route is configured. An attacker can spoof this header so OAuth2 Proxy evaluates authentication and skip-auth rules against a different path than the one actually sent to the upstream application. This can result in an unauthenticated remote attacker bypassing authentication and accessing protected routes without a valid session. Impacted users are deployments that run oauth2-proxy with --reverse-proxy enabled and configure at least one --skip-auth-regex or --skip-auth-route rule. This issue is patched in v7.15.2. Some workarounds are available for those who cannot upgrade immediately. Strip any client-provided X-Forwarded-Uri header at the reverse proxy or load balancer level; explicitly overwrite X-Forwarded-Uri with the actual request URI before forwarding requests to OAuth2 Proxy; restrict direct client access to OAuth2 Proxy so it can only be reached through a trusted reverse proxy; and/or remove or narrow --skip-auth-regex / --skip-auth-route rules where possible. For nginx-based deployments, ensure X-Forwarded-Uri is set by nginx and not passed through from the client.

Verified Sources

References

https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-7x63-xv5r-3p2x

_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._

Lyrie Verdict

A vulnerability of this severity is exactly what Lyrie's anti-rogue-AI defense is built for: continuous, autonomous monitoring that doesn't wait for human reaction time.

#oauth2 #critical