What Is an Authentication Bypass? The Bug Class Behind This Week’s OAuth2 Proxy Patch

An authentication bypass is exactly what it sounds like: a flaw that lets someone reach a protected system without logging in. Imagine a security guard who checks IDs at the front door of a building. An authentication bypass is when the attacker walks past the guard by holding up a sign that says “I’m with the cleaners” — and the guard just nods them through, no badge required. The locks are still on the doors. The cameras are still rolling. But the gatekeeper made a wrong decision, and that’s all the attacker needed.

It’s in the news this week because of a critical flaw in OAuth2 Proxy (CVE-2026-40575), a popular tool that thousands of businesses use to put a Microsoft 365 or Google login in front of internal apps like dashboards, automation tools, and admin portals. By sending a crafted X-Forwarded-Uri header, an attacker can trick OAuth2 Proxy into thinking they’re hitting a public path that doesn’t need auth — when really they’re hitting a protected one. No password, no session, no logging in. The CVSS score is 9.1 out of 10, which is about as serious as these things get.

Why this matters for your business: most organisations don’t run OAuth2 Proxy directly, but your IT provider or DevOps team almost certainly runs something like it in front of internal systems. Authentication bypass bugs turn up in firewalls, VPN concentrators, identity providers, and SaaS platforms several times a year. The practical move is to ask whoever manages your infrastructure two questions: “Are we exposed to CVE-2026-40575?” and “How would we know if a similar bypass were exploited against us — what would we see in the logs?” If the answer to the second question is “we wouldn’t,” that’s worth fixing before the next one of these lands.

The All IT cybersecurity team tracks vulnerability advisories like this one daily and can audit what’s sitting in front of your internal apps if you’d like a fresh pair of eyes on it.