Github.Com Oauth2-Proxy Oauth2-Proxy V7 vulnerabilities

CVE-2026-40575 [CRITICAL] CWE-290 OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing ### Impact A configuration-dependent authentication bypass exists in OAuth2 Proxy. Deployments are affected when all of the following are true: * OAuth2 Proxy is configured with `--reverse-proxy` * and at least one rule is defined with `--skip_auth_routes` or the legacy `--skip-auth-regex` OAuth2 Proxy m

CVE-2026-40574 [MEDIUM] CWE-863 OAuth2 Proxy has an Authorization Bypass in Email Domain Validation via Malformed Multi-@ Email Claims OAuth2 Proxy has an Authorization Bypass in Email Domain Validation via Malformed Multi-@ Email Claims ### Impact An authorization bypass exists in OAuth2 Proxy as part of the `email_domain` enforcement option. An attacker may be able to authenticate with an email claim such as `[email protected]@company.com` and satisfy an allowed domain check for `company.com

CVE-2026-34457 [CRITICAL] CWE-290 OAuth2 Proxy's Health Check User-Agent Matching Bypasses Authentication in auth_request Mode OAuth2 Proxy's Health Check User-Agent Matching Bypasses Authentication in auth_request Mode ### Impact A configuration-dependent authentication bypass exists in OAuth2 Proxy. Deployments are affected when all of the following are true: - OAuth2 Proxy is used with an `auth_request`-style integration (for example, nginx `auth_request`) - `--ping-user-agent` is set or `

CVE-2026-34454 [LOW] CWE-384 OAuth2 Proxy's session cookies are not cleared when rendering sign-in page OAuth2 Proxy's session cookies are not cleared when rendering sign-in page ### Impact A regression introduced in [v7.11.0](https://github.com/oauth2-proxy/oauth2-proxy/pull/2605) is preventing OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. This only impacts deployments that rely on the sign-in page as part of their logout flow. In those setups, a user may be s

CVE-2025-64484 [HIGH] CWE-644 OAuth2-Proxy is vulnerable to header smuggling via underscore leading to potential privilege escalation OAuth2-Proxy is vulnerable to header smuggling via underscore leading to potential privilege escalation ### Impact All deployments of OAuth2 Proxy in front of applications that normalize underscores to dashes in HTTP headers (e.g., WSGI-based frameworks such as Django, Flask, FastAPI, and PHP applications). Authenticated users can inject underscore variants of X

CVE-2025-54576 [CRITICAL] CWE-290 OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion ### Impact This vulnerability affects oauth2-proxy deployments using the `skip_auth_routes` configuration option with regex patterns. The vulnerability allows attackers to bypass authentication by crafting URLs with query parameters that satisfy the confi

CVE-2021-21411 [MEDIUM] CWE-285 OAuth2-Proxy's `--gitlab-group` GitLab Group Authorization config flag stopped working in v7.0.0 OAuth2-Proxy's `--gitlab-group` GitLab Group Authorization config flag stopped working in v7.0.0 The `--gitlab-group` flag for group-based authorization in the GitLab provider stopped working in the v7.0.0 release. Regardless of the flag settings, authorization wasn't restricted. Additionally, any authenticated users had whichever groups were set in `--gitlab-group`

CVE-2021-21291 [LOW] CWE-601 Subdomain checking of whitelisted domains could allow unintended redirects in oauth2-proxy Subdomain checking of whitelisted domains could allow unintended redirects in oauth2-proxy ### Impact _What kind of vulnerability is it? Who is impacted?_ For users that use the whitelist domain feature, a domain that ended in a similar way to the intended domain could have been allowed as a redirect. For example, if a whitelist domain was configured for `.example.com`, the i