A header-spoofing vulnerability in OAuth2 Proxy allows unauthenticated attackers to bypass authentication and access protected backend resources.

The application trusts user-supplied X-Forwarded-Uri headers, allowing attackers to manipulate how the proxy evaluates authentication rules against backend routes.

This flaw permits unauthenticated access to sensitive backend applications, potentially exposing private data or administrative interfaces. The CVSS score of 9.1 underscores the critical risk to the security boundary of the protected application infrastructure.

Immediate Action: Upgrade OAuth2 Proxy to version 7.15.2 or later.

Proactive Monitoring: Review logs for suspicious header patterns where X-Forwarded-Uri does not match the intended request path.

Compensating Controls: Configure the upstream load balancer or reverse proxy to strip or overwrite any client-provided X-Forwarded-Uri headers before they reach the OAuth2 Proxy instance.

Public Exploit Available: false

Upgrade to the latest version immediately. If an immediate upgrade is not feasible, implement the recommended configuration changes at the load balancer level to strip the untrusted header.