OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 may trust a client-supplied "X-Forwarded-Uri" header when "--reverse-proxy" is enabled and "--skip-auth-regex" or "--skip-auth-route" is configured. An attacker can spoof this header so OAuth2 Proxy evaluates authentication and skip-auth rules against a different path than the one actually sent to the upstream application. This can result in an unauthenticated remote attacker bypassing authentication and accessing protected routes without a valid session. Impacted users are deployments that run oauth2-proxy with "--reverse-proxy" enabled and configure at least one "--skip-auth-regex" or "--skip-auth-route" rule. This issue is patched in "v7.15.2". Some workarounds are available for those who cannot upgrade immediately. Strip any client-provided "X-Forwarded-Uri" header at the reverse proxy or load balancer level; explicitly overwrite "X-Forwarded-Uri" with the actual request URI before forwarding requests to OAuth2 Proxy; restrict direct client access to OAuth2 Proxy so it can only be reached through a trusted reverse proxy; and/or remove or narrow "--skip-auth-regex" / "--skip-auth-route" rules where possible. For nginx-based deployments, ensure "X-Forwarded-Uri" is set by nginx and not passed through from the client.