Platform
go
Component
nginx
Fixed in
7.5.1
7.15.2
7.15.3
CVE-2026-40575 describes a critical authentication bypass vulnerability discovered in Nginx OAuth2 Proxy. This flaw allows attackers to potentially bypass authentication checks by manipulating the X-Forwarded-Uri header. The vulnerability affects versions 7.5.0 through 7.15.2 and is resolved in version 7.15.2.
The impact of CVE-2026-40575 is significant. An attacker who can successfully exploit this vulnerability can bypass authentication and gain unauthorized access to protected resources behind the OAuth2 Proxy. This could lead to data breaches, privilege escalation, and complete compromise of the backend systems. The vulnerability is configuration-dependent, requiring --reverse-proxy and either --skipauthroutes or the legacy --skip-auth-regex to be enabled. The ability to spoof the X-Forwarded-Uri header allows attackers to redirect OAuth2 Proxy's authentication and routing logic, effectively bypassing intended security controls. This is similar to other header manipulation vulnerabilities where improper validation leads to unexpected behavior.
CVE-2026-40575 was publicly disclosed on 2026-04-22. The vulnerability's severity is rated as CRITICAL (CVSS 9.1). There is currently no indication of active exploitation in the wild, but the ease of exploitation and the potential impact warrant immediate attention. The vulnerability is not listed on the CISA KEV catalog at the time of this writing. Public proof-of-concept code is not yet available, but the vulnerability's nature suggests it could be easily demonstrated.
Exploit Status
EPSS
0.11% (29% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-40575 is to upgrade Nginx OAuth2 Proxy to version 7.15.2 or later, which contains the fix. If an immediate upgrade is not possible, consider temporarily disabling the --reverse-proxy feature if it's not essential. Alternatively, carefully review and restrict the allowed values for the X-Forwarded-Uri header using a reverse proxy or WAF. Implement strict validation of the X-Forwarded-Uri header to ensure it conforms to expected patterns. Monitor access logs for suspicious requests containing manipulated X-Forwarded-Uri headers. After upgrading, confirm the fix by attempting to access protected routes with a crafted X-Forwarded-Uri header and verifying that authentication is enforced.
To mitigate this issue, update to version 7.15.2 or higher of OAuth2 Proxy. Alternatively, remove the client-supplied `X-Forwarded-Uri` header at the reverse proxy or load balancer, or rewrite it with the actual request URI before sending it to OAuth2 Proxy.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40575 is a critical authentication bypass vulnerability in Nginx OAuth2 Proxy allowing attackers to bypass authentication by manipulating the X-Forwarded-Uri header. It affects versions 7.5.0–7.15.2.
You are affected if you are using Nginx OAuth2 Proxy versions 7.5.0 through 7.15.2 and have configured --reverse-proxy along with --skipauthroutes or --skip-auth-regex.
Upgrade Nginx OAuth2 Proxy to version 7.15.2 or later. If an upgrade is not immediately possible, disable --reverse-proxy or implement strict validation of the X-Forwarded-Uri header.
There is currently no indication of active exploitation in the wild, but the vulnerability's ease of exploitation warrants immediate attention.
Refer to the official Nginx OAuth2 Proxy project's security advisories for the most up-to-date information: https://github.com/oauth2-proxy/oauth2-proxy/security/advisories
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.