Sonstige Informationen und Dienstleistungen der Regierung: www.belgium.be Centre for Cybersecurity Belgium
search

Warning: Critical authentication bypass in OAuth2 that can lead to unauthorized data access, Patch Immediately!

Image
Decorative image
Veröffentlicht : 16/04/2026
  • Last update: 16/04/2026
  • Affected software:
    → OAuth2 Proxy versions 7.5.0 and later, up to (but not including) 7.15.2
  • Type: Authentication Bypass by Spoofing (CWE‑290)
  • CVE/CVSS
    → CVE-2026-40575: CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H)

Sources

https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago

Risks

On April 15th 2026, CVE-2026-40575 a authentication bypass that depends on the system configuration was disclosed online, which affects OAuth 2 proxy.

OAuth2 Proxy is a reverse proxy and static file server that sits in front of web applications and secures them by handling OAuth 2.0 and OpenID Connect authentication with providers like Google, GitHub, Azure. It is acts as an authentication gateway.

An unauthenticated remote attacker can bypass authentication and access protected routes without holding a valid session by forging headers.

If exploited, this vulnerability could impact the integrity, and availability of systems but having no impact in the confidentiality. There is no available proof-of-concept or proof-of-exploitation online.

Description

When OAuth2 Proxy when it is deployed with --reverse-proxy enabled and at least one rule configured via --skip_auth_routes or the legacy --skip-auth-regex, that can make the system vulnerable to CVE-2026-40575, as a remote threat actor can forge the X-Forwarded-Uri header. That way the threat actor can skip authentication rules and gain unauthorized access to protected resources.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Please install the OAuth2 proxy v7.15.2 or later. Make sure to configure the --trusted-proxy-ip flag with your trusted reverse proxy IP addresses or CIDR ranges after the upgrade.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

https://www.tenable.com/cve/CVE-2026-40575