[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-40575":6},{"stargazers_count":4,"fetched_at":5},5,"2026-04-22T10:18:55.356Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":59,"aliases":60,"duplicate_of":9,"upstream":62,"downstream":63,"duplicates":64,"related":65,"reserved_at":9,"published_at":66,"modified_at":66,"state":67,"summary":68,"references_raw":75,"kevs":89,"epss":9,"epss_history":90,"metrics":91,"affected":101},"CVE-2026-40575","OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 may trust a client-supplied `X-Forwarded-Uri` header when `--reverse-proxy` is enabled and `--skip-auth-regex` or `--skip-auth-route` is configured. An attacker can spoof this header so OAuth2 Proxy evaluates authentication and skip-auth rules against a different path than the one actually sent to the upstream application. This can result in an unauthenticated remote attacker bypassing authentication and accessing protected routes without a valid session. Impacted users are deployments that run oauth2-proxy with `--reverse-proxy` enabled and configure at least one `--skip-auth-regex` or `--skip-auth-route` rule. This issue is patched in `v7.15.2`. Some workarounds are available for those who cannot upgrade immediately. Strip any client-provided `X-Forwarded-Uri` header at the reverse proxy or load balancer level; explicitly overwrite `X-Forwarded-Uri` with the actual request URI before forwarding requests to OAuth2 Proxy; restrict direct client access to OAuth2 Proxy so it can only be reached through a trusted reverse proxy; and/or remove or narrow `--skip-auth-regex` / `--skip-auth-route` rules where possible. For nginx-based deployments, ensure `X-Forwarded-Uri` is set by nginx and not passed through from the client.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":9,"capec":18},"CWE-290","Authentication Bypass by Spoofing","This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.","weakness","Incomplete","Base",[19,23,27,31,35,39,43,47,51,55],{"id":20,"name":21,"techniques":22},"CAPEC-21","Exploitation of Trusted Identifiers",[],{"id":24,"name":25,"techniques":26},"CAPEC-22","Exploiting Trust in Client",[],{"id":28,"name":29,"techniques":30},"CAPEC-459","Creating a Rogue Certification Authority Certificate",[],{"id":32,"name":33,"techniques":34},"CAPEC-461","Web Services API Signature Forgery Leveraging Hash Function Extension Weakness",[],{"id":36,"name":37,"techniques":38},"CAPEC-473","Signature Spoof",[],{"id":40,"name":41,"techniques":42},"CAPEC-476","Signature Spoofing by Misrepresentation",[],{"id":44,"name":45,"techniques":46},"CAPEC-59","Session Credential Falsification through Prediction",[],{"id":48,"name":49,"techniques":50},"CAPEC-60","Reusing Session IDs (aka Session Replay)",[],{"id":52,"name":53,"techniques":54},"CAPEC-667","Bluetooth Impersonation AttackS (BIAS)",[],{"id":56,"name":57,"techniques":58},"CAPEC-94","Adversary in the Middle (AiTM)",[],[],[61],"GHSA-7x63-xv5r-3p2x",[],[],[],[],"2026-04-21T23:20:30.486Z","Received",{"cisa_kev":69,"cisa_ransomware":69,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":70,"severity_score":71,"severity_version":72,"severity_source":73,"severity_vector":74,"severity_status":67},false,"critical",9.1,"v3.1","cve.org","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",[76,84],{"url":77,"sources":78,"tags":81},"https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-7x63-xv5r-3p2x",[79,73,80],"osv_go","nvd",[82,83],"WEB","X Refsource CONFIRM",{"url":85,"sources":86,"tags":87},"https://github.com/oauth2-proxy/oauth2-proxy",[79],[88],"PACKAGE",[],[],[92,96,99],{"source":79,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":93,"cvss_v4_0":9},{"baseScore":71,"baseSeverity":9,"vectorString":74,"impactScore":94,"exploitabilityScore":95},8.7,10,{"source":73,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":97,"cvss_v4_0":9},{"baseScore":71,"baseSeverity":98,"vectorString":74,"impactScore":94,"exploitabilityScore":95},"CRITICAL",{"source":80,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":100,"cvss_v4_0":9},{"baseScore":71,"baseSeverity":98,"vectorString":74,"impactScore":94,"exploitabilityScore":95},[102,117],{"ecosystem":103,"name":104,"vendor":105,"product":106,"cpe_part":9,"purl_type":107,"purl_namespace":105,"purl_name":106,"source":9,"versions":108},"Go","github.com/oauth2-proxy/oauth2-proxy/v7","github.com/oauth2-proxy/oauth2-proxy","v7","golang",[109],{"version":110,"is_range":111,"range_type":112,"version_start":113,"version_start_type":114,"version_end":115,"version_end_type":116,"fixed_in":9},"gte7_5_0_lt7_15_2",true,"semver","7.5.0","including","7.15.2","excluding",{"ecosystem":9,"name":118,"vendor":118,"product":118,"cpe_part":119,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":120},"oauth2-proxy","a",[121],{"version":122,"is_range":111,"range_type":73,"version_start":113,"version_start_type":114,"version_end":115,"version_end_type":116,"fixed_in":9},">= 7.5.0, \u003C 7.15.2"]