Nginx
CVE-2026-40575
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from Vendor (https://github.com/oauth2-proxy/oauth2-proxy).
CVSS VectorVendor: https://github.com/oauth2-proxy/oauth2-proxy
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Impact
A configuration-dependent authentication bypass exists in OAuth2 Proxy.
Deployments are affected when all of the following are true:
- OAuth2 Proxy is configured with
--reverse-proxy - and at least one rule is defined with
--skip_auth_routesor the legacy--skip-auth-regex
OAuth2 Proxy may trust a client-supplied X-Forwarded-Uri header when --reverse-proxy is enabled and --skip-auth-route or --skip-auth-regex is configured. An attacker can spoof this header so OAuth2 Proxy evaluates authentication and skip-auth rules against a different path than the one actually sent to the upstream application.
This can result in an unauthenticated remote attacker bypassing authentication and accessing protected routes without a valid session.
Patches
This issue is addressed as part of the newly introduced --trusted-proxy-ip flag in v7.15.2. If you leave it unset, OAuth2 Proxy will continue to trust ALL source IPs (0.0.0.0/0) for backwards compatibility, which means a client may still be able to spoof forwarded headers. Therefore after upgrading we urge you to use the new --trusted-proxy-ip flag to set the IPs or CIDR ranges of the reverse proxies that are allowed to send X-Forwarded-* headers and furthermore implement the mitigation steps outlined below to properly configure your load balancer infrastructure.
Mitigation
- Strip any client-provided
X-Forwarded-Uriheader at the reverse proxy or load balancer level - Explicitly overwrite
X-Forwarded-Uriwith the actual request URI before forwarding requests to OAuth2 Proxy
Example nginx mitigation for the auth subrequest:
location /internal-auth/ {
internal;
# Ensure external users can't access this path
# Make sure the OAuth2 Proxy knows where the original request came from.
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
# set the value to the actual $request_uri and therefore strip any user provided X-Forwarded-Uri
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_pass http://oauth2-proxy:4180/;
}- Restrict direct client access to OAuth2 Proxy so it can only be reached through a trusted reverse proxy
- Remove or narrow
--skip-auth-route/--skip-auth-regexrules where possible
Analysis
Impact
A configuration-dependent authentication bypass exists in OAuth2 Proxy.
Deployments are affected when all of the following are true:
- OAuth2 Proxy is configured with
--reverse-proxy - and at least one rule is defined with
--skip_auth_routesor the legacy--skip-auth-regex
OAuth2 Proxy may trust a client-supplied X-Forwarded-Uri header when --reverse-proxy is enabled and --skip-auth-route or --skip-auth-regex is configured. An attacker can spoof this header so OAuth2 Proxy evaluates authentication and skip-auth rules against a different path than the one actually sent to the upstream application.
This can result in an unauthenticated remote attacker bypassing authentication and accessing protected routes without a valid session.
Patches
This issue is addressed as part of the newly introduced --trusted-proxy-ip flag in v7.15.2. If you leave it unset, OAuth2 Proxy will continue to trust ALL source IPs (0.0.0.0/0) for backwards compatibility, which means a client may still be able to spoof forwarded headers. Therefore after upgrading we urge you to use the new --trusted-proxy-ip flag to set the IPs or CIDR ranges of the reverse proxies that are allowed to send X-Forwarded-* headers and furthermore implement the mitigation steps outlined below to properly configure your load balancer infrastructure.
Mitigation
- Strip any client-provided
X-Forwarded-Uriheader at the reverse proxy or load balancer level - Explicitly overwrite
X-Forwarded-Uriwith the actual request URI before forwarding requests to OAuth2 Proxy
Example nginx mitigation for the auth subrequest:
location /internal-auth/ {
internal;
# Ensure external users can't access this path
# Make sure the OAuth2 Proxy knows where the original request came from.
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
# set the value to the actual $request_uri and therefore strip any user provided X-Forwarded-Uri
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_pass http://oauth2-proxy:4180/;
}- Restrict direct client access to OAuth2 Proxy so it can only be reached through a trusted reverse proxy
- Remove or narrow
--skip-auth-route/--skip-auth-regexrules where possible
The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau
A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap
An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8
The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-7x63-xv5r-3p2x