Cyber Resilience

CVE-2026-40575

CriticalUpdated

Published: 22 April 2026

Published
22 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0042 33.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-40575 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Oauth2 Proxy Project Oauth2 Proxy. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

OAuth2 Proxy, a reverse proxy for OAuth2 provider authentication, contains a vulnerability in versions 7.5.0 through 7.15.1 (CVE-2026-40575, published April 22, 2026) where it trusts a client-supplied `X-Forwarded-Uri` header when the `--reverse-proxy` flag is enabled alongside `--skip-auth-regex` or `--skip-auth-route` configurations. This allows an attacker to spoof the header, causing OAuth2 Proxy to evaluate authentication and skip-auth rules against a manipulated path rather than the actual request path forwarded to the upstream application. The issue, rated CVSS 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and mapped to CWE-290, affects deployments using these specific flags.

An unauthenticated remote attacker can exploit this by sending a crafted `X-Forwarded-Uri` header in requests to OAuth2 Proxy, bypassing authentication checks and gaining unauthorized access to protected upstream routes without a valid session. Exploitation requires the targeted deployment to have `--reverse-proxy` enabled and at least one skip-auth rule configured, enabling the attacker to reach otherwise protected resources.

The vulnerability is patched in OAuth2 Proxy version 7.15.2. Advisories recommend upgrading immediately, with workarounds including stripping client-provided `X-Forwarded-Uri` headers at the reverse proxy or load balancer level, explicitly overwriting the header with the actual request URI before forwarding to OAuth2 Proxy, restricting direct client access to only trusted reverse proxies, and removing or narrowing skip-auth rules where feasible. For nginx deployments, ensure `X-Forwarded-Uri` is set by nginx rather than passed from the client. See the GitHub security advisory at https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-7x63-xv5r-3p2x for full details.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 may trust a client-supplied `X-Forwarded-Uri` header when `--reverse-proxy` is enabled and `--skip-auth-regex` or `--skip-auth-route` is configured. An attacker can spoof this header so OAuth2…

more

Proxy evaluates authentication and skip-auth rules against a different path than the one actually sent to the upstream application. This can result in an unauthenticated remote attacker bypassing authentication and accessing protected routes without a valid session. Impacted users are deployments that run oauth2-proxy with `--reverse-proxy` enabled and configure at least one `--skip-auth-regex` or `--skip-auth-route` rule. This issue is patched in `v7.15.2`. Some workarounds are available for those who cannot upgrade immediately. Strip any client-provided `X-Forwarded-Uri` header at the reverse proxy or load balancer level; explicitly overwrite `X-Forwarded-Uri` with the actual request URI before forwarding requests to OAuth2 Proxy; restrict direct client access to OAuth2 Proxy so it can only be reached through a trusted reverse proxy; and/or remove or narrow `--skip-auth-regex` / `--skip-auth-route` rules where possible. For nginx-based deployments, ensure `X-Forwarded-Uri` is set by nginx and not passed through from the client.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability enables unauthenticated remote attackers to bypass authentication checks in the public-facing OAuth2 Proxy by spoofing the X-Forwarded-Uri header, directly facilitating exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34457Same product: Oauth2 Proxy Project Oauth2 Proxy
CVE-2025-54576Same product: Oauth2 Proxy Project Oauth2 Proxy
CVE-2026-41059Same product: Oauth2 Proxy Project Oauth2 Proxy
CVE-2018-25316Shared CWE-290
CVE-2026-0834Shared CWE-290
CVE-2025-69401Shared CWE-290
CVE-2025-27671Shared CWE-290
CVE-2026-31889Shared CWE-290
CVE-2026-35622Shared CWE-290
CVE-2026-8644Shared CWE-290

Affected Assets

oauth2 proxy project
oauth2 proxy
7.5.0 — 7.15.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediates the specific flaw in OAuth2 Proxy versions 7.5.0-7.15.1 by applying patches in v7.15.2, preventing header spoofing that bypasses authentication.

prevent

Requires validation of client-supplied X-Forwarded-Uri headers at proxy entry points to block spoofing that tricks skip-auth rule evaluation.

prevent

Ensures secure configuration settings for reverse proxies to strip or overwrite untrusted X-Forwarded-Uri headers and narrow skip-auth rules.

References