OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 have a configuration-dependent authentication bypass. Deployments are affected when all of the following are true: Use of skip_auth_routes or the legacy skip_auth_regex.

use of patterns that can be widened by attacker-controlled suffixes, such as ^/foo/.*/bar$ causing potential exposure of /foo/secret.

and protected upstream applications that interpret # as a fragment delimiter or otherwise route the request to the protected base path. In deployments that rely on these settings, an unauthenticated attacker can send a crafted request containing a number sign in the path, including the browser-safe encoded form %23, so that OAuth2 Proxy matches a public allowlist rule while the backend serves a protected resource. Deployments that do not use these skip-auth options, or that only allow exact public paths with tightly scoped method and path rules, are not affected. A fix has been implemented in version 7.15.2 to normalize request paths more conservatively before skip-auth matching so fragment content does not influence allowlist decisions. Users who cannot upgrade immediately can reduce exposure by tightening or removing skip_auth_routes and skip_auth_regex rules, especially patterns that use broad wildcards across path segments. Recommended mitigations include replacing broad rules with exact, anchored public paths and explicit HTTP methods.

rejecting requests whose path contains %23 or # at the ingress, load balancer, or WAF level.

and/or avoiding placing sensitive application paths behind broad skip_auth_routes rules.