CVE-2026-40575
OAuth2 Proxy versions 7.5.0–7.15.1 can trust a client-supplied X-Forwarded-Uri when --reverse-proxy and at least one --skip-auth-regex/--skip-auth-route are configured, enabling header spoofing that makes authentication rules run against a different path. This can let an unauthenticated attacker ...