OAuth2 Proxy Hit by Critical Auth Bypass — Patch CVE-2026-40575 Now

A critical authentication bypass in OAuth2 Proxy (CVE-2026-40575, CVSS 9.1) lets unauthenticated attackers spoof the X-Forwarded-Uri header to slip past login and reach anything sitting behind the proxy. It hits versions 7.5.0 through 7.15.1 when running with --reverse-proxy and a skip-auth rule like /health or /public. The fix is in 7.15.2.

If you’ve never heard of OAuth2 Proxy, it’s the small open-source bouncer many Australian businesses (and their IT providers) put in front of internal tools — Grafana dashboards, Kibana, internal admin portals, even n8n automations — to force a Google or Microsoft 365 login before anyone gets through. That’s exactly why this one matters. A bypass on a tool whose entire job is authentication means anything it was protecting could be reachable from the internet right now, with no credentials needed. For wealth managers, NFPs storing donor data, and hospitality groups with internal booking dashboards, that’s the kind of exposure the OAIC takes a dim view of under the Privacy Act.

What to do this week: upgrade OAuth2 Proxy to 7.15.2 or later and set the new --trusted-proxy-ip flag so only your real load balancer or reverse proxy can pass forwarded headers through. If you can’t upgrade today, strip any client-supplied X-Forwarded-Uri header at the edge before it reaches OAuth2 Proxy, and review access logs for anything hitting protected paths without a session cookie. Also worth a quick sanity check on whether any of your skip-auth rules are broader than they need to be.

Not sure whether OAuth2 Proxy is in your stack, or who owns the patching of it? Have a chat with your provider — and if that’s us, the All IT cybersecurity team is across this advisory and happy to confirm where you stand.