release v7.15.2 (#3413)

* update to release version v7.15.2 * doc: add changelog entry for v7.15.2 Signed-off-by: Jan Larwig <jan@larwig.com> * fix(deps): override webpackbar to v7 for webpack 5.106.0 compatibility As outlined in https://github.com/facebook/docusaurus/issues/11923 Signed-off-by: Jan Larwig <jan@larwig.com> * chore: fix local test files for nginx setup Signed-off-by: Jan Larwig <jan@larwig.com> --------- Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Jan Larwig <jan@larwig.com>
2026-04-14 13:12:28 +02:00 · 2026-04-14 13:12:28 +02:00 · 5961fd99b4
parent bdfde725c6
commit 5961fd99b4
13 changed files with 106 additions and 65 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -6,6 +6,48 @@

 ## Breaking Changes

+## Changes since v7.15.2
+
+# V7.15.2
+
+## Release Highlights
+
+- 🔵 Golang version upgrade to v1.25.9
+    - Upgrade of all dependencies to their latest versions
+    - [CVE-2026-34986](https://nvd.nist.gov/vuln/detail/CVE-2026-34986)
+    - [CVE-2026-32281](https://nvd.nist.gov/vuln/detail/CVE-2026-32281)
+    - [CVE-2026-32289](https://nvd.nist.gov/vuln/detail/CVE-2026-32289)
+    - [CVE-2026-32288](https://nvd.nist.gov/vuln/detail/CVE-2026-32288)
+    - [CVE-2026-32280](https://nvd.nist.gov/vuln/detail/CVE-2026-32280)
+    - [CVE-2026-32282](https://nvd.nist.gov/vuln/detail/CVE-2026-32282)
+    - [CVE-2026-32283](https://nvd.nist.gov/vuln/detail/CVE-2026-32283)
+-  🕵️‍♀️ Vulnerabilities have been addressed
+
+## Important Notes
+
+We have had security audits performed on OAuth2 Proxy in the past couple of weeks and as a result we have fixed
+several CRITICAL vulnerabilities.
+
+The security vulnerabilities include multiple authentication bypasses and a potential session fixation attack.
+For more details and to identify if you are effects, we urge all users of OAuth2 Proxy to read the security 
+disclosures.
+
+- (Critical) [GHSA-5hvv-m4w4-gf6v](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5hvv-m4w4-gf6v) fix: health check user-agent authentication bypass 
+- (Critical) [GHSA-7x63-xv5r-3p2x](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-7x63-xv5r-3p2x) fix: authentication bypass via X-Forwarded-Uri header spoofing
+- (High) [GHSA-pxq7-h93f-9jrg](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-pxq7-h93f-9jrg) fix: fragment evaluation as part of the allowed routes
+- (Moderate) [GHSA-c5c4-8r6x-56w3](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-c5c4-8r6x-56w3) fix: email validation bypass via malformed multi-@ email claims
+
+Furthermore, for improving the security of OAuth2 Proxy we introduced a new flag `--trusted-proxy-ip` that allows users
+to explicitly specify trusted reverse proxy IPs for the `X-Forwarded-*` headers. This is an important step to prevent 
+potential header spoofing attacks and to ensure that OAuth2 Proxy only trusts headers from known and trusted sources.
+We highly recommend users to review their deployment architecture and consider using this flag to enhance the security 
+of their OAuth2 Proxy instances. Check the docs for more details: https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#proxy-options
+
+Furthermore, we want to thank everyone who contributed to the audits and reported potential issues to make open source 
+software like OAuth2 Proxy more secure for everyone. 
+
+## Breaking Changes
+
 ## Changes since v7.15.1

 - [#3411](https://github.com/oauth2-proxy/oauth2-proxy/pull/3411) chore(deps): update gomod dependencies (@tuunit)
@ -13,8 +55,8 @@
 - [GHSA-f24x-5g9q-753f](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-f24x-5g9q-753f) fix: clear session cookie at beginning of signinpage handler (@fnoehWM / @bella-WI / @tuunit)
 - [GHSA-5hvv-m4w4-gf6v](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5hvv-m4w4-gf6v) fix: health check user-agent authentication bypass (@tuunit)
 - [GHSA-7x63-xv5r-3p2x](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-7x63-xv5r-3p2x) fix: authentication bypass via X-Forwarded-Uri header spoofing (@tuunit)
- [GHSA-c5c4-8r6x-56w3](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-c5c4-8r6x-56w3) fix: email validation bypass via malformed multi-@ email claims (@tuunit)
 - [GHSA-pxq7-h93f-9jrg](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-pxq7-h93f-9jrg) fix: fragment evaluation as part of the allowed routes (@tuunit)
+- [GHSA-c5c4-8r6x-56w3](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-c5c4-8r6x-56w3) fix: email validation bypass via malformed multi-@ email claims (@tuunit)

 # V7.15.1

--- a/contrib/local-environment/dex.yaml
+++ b/contrib/local-environment/dex.yaml
@ -6,7 +6,7 @@ storage:
  type: etcd
  config:
    endpoints:
-    - http://etcd:2379
+      - http://etcd:2379
    namespace: dex/
 web:
  http: 0.0.0.0:5556
@ -16,17 +16,18 @@ expiry:
  signingKeys: "4h"
  idTokens: "1h"
 staticClients:
- id: oauth2-proxy
-  redirectURIs:
-  # These redirect URIs point to the `--redirect-url` for OAuth2 proxy.
-  - 'http://oauth2-proxy.localtest.me:4180/oauth2/callback' # For basic proxy example.
-  - 'http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback' # For nginx and traefik example.
-  name: 'OAuth2 Proxy'
-  secret: b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK
+  - id: oauth2-proxy
+    redirectURIs:
+      # These redirect URIs point to the `--redirect-url` for OAuth2 proxy.
+      - "http://oauth2-proxy.localtest.me:4180/oauth2/callback" # For basic proxy example.
+      - "http://oauth2-proxy.localtest.me:8080/oauth2/callback" # For nginx example.
+      - "http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback" # For traefik example.
+    name: "OAuth2 Proxy"
+    secret: b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK
 enablePasswordDB: true
 staticPasswords:
- email: "admin@example.com"
-  # bcrypt hash of the string "password"
-  hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
-  username: "admin"
-  userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
+  - email: "admin@example.com"
+    # bcrypt hash of the string "password"
+    hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+    username: "admin"
+    userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
--- a/contrib/local-environment/docker-compose-alpha-config.yaml
+++ b/contrib/local-environment/docker-compose-alpha-config.yaml
@ -14,7 +14,7 @@ version: "3.0"
 services:
  oauth2-proxy:
    container_name: oauth2-proxy
-    image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.1
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2
    command: --config /oauth2-proxy.cfg --alpha-config /oauth2-proxy-alpha-config.yaml
    hostname: oauth2-proxy
    volumes:
--- a/contrib/local-environment/docker-compose-gitea.yaml
+++ b/contrib/local-environment/docker-compose-gitea.yaml
@ -14,7 +14,7 @@ version: '3.0'
 services:
  oauth2-proxy:
    container_name: oauth2-proxy
-    image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.1
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2
    command: --config /oauth2-proxy.cfg
    hostname: oauth2-proxy
    volumes:
--- a/contrib/local-environment/docker-compose-keycloak.yaml
+++ b/contrib/local-environment/docker-compose-keycloak.yaml
@ -10,11 +10,11 @@
 #
 # Access http://oauth2-proxy.localtest.me:4180 to initiate a login cycle using user=admin@example.com, password=password
 # Access http://keycloak.localtest.me:9080 with the same credentials to check out the settings
-version: '3.0'
+version: "3.0"
 services:
  oauth2-proxy:
    container_name: oauth2-proxy
-    image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.1
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2
    command: --config /oauth2-proxy.cfg
    hostname: oauth2-proxy
    volumes:
@ -43,9 +43,9 @@ services:
    image: keycloak/keycloak:25.0
    hostname: keycloak
    command:
-      - 'start-dev'
-      - '--http-port=9080'
-      - '--import-realm'
+      - "start-dev"
+      - "--http-port=9080"
+      - "--import-realm"
    volumes:
      - ./keycloak:/opt/keycloak/data/import
    environment:
--- a/contrib/local-environment/docker-compose-nginx.yaml
+++ b/contrib/local-environment/docker-compose-nginx.yaml
@ -22,12 +22,12 @@
 version: "3.0"
 services:
  oauth2-proxy:
-    image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.1
-    ports:
-      - 4180:4180/tcp
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2
+    ports: []
    hostname: oauth2-proxy
    container_name: oauth2-proxy
    command: --config /oauth2-proxy.cfg
+    restart: unless-stopped
    volumes:
      - "./oauth2-proxy-nginx.cfg:/oauth2-proxy.cfg"
    networks:
--- a/contrib/local-environment/docker-compose-traefik.yaml
+++ b/contrib/local-environment/docker-compose-traefik.yaml
@ -23,7 +23,7 @@ version: '3.0'
 services:

  oauth2-proxy:
-    image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.1
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2
    ports: []
    hostname: oauth2-proxy
    volumes:
--- a/contrib/local-environment/docker-compose.yaml
+++ b/contrib/local-environment/docker-compose.yaml
@ -13,7 +13,7 @@ version: "3.0"
 services:
  oauth2-proxy:
    container_name: oauth2-proxy
-    image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.1
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2
    command: --config /oauth2-proxy.cfg
    hostname: oauth2-proxy
    volumes:
--- a/contrib/local-environment/nginx.conf
+++ b/contrib/local-environment/nginx.conf
@ -1,49 +1,44 @@
-# Reverse proxy to oauth2-proxy
-server {
-  listen       8080;
-  server_name  oauth2-proxy.localtest.me;
-
-  location / {
-    proxy_set_header Host       $host;
-    proxy_set_header X-Real-IP  $remote_addr;
-    proxy_set_header X-Forwarded-Uri $request_uri;
-
-    proxy_pass http://oauth2-proxy:4180/;
-  }
-}
-
 # Reverse proxy to httpbin
 server {
  listen      8080;
-  server_name httpbin.localtest.me;
+  server_name oauth2-proxy.localtest.me;

-  auth_request /internal-auth/oauth2/auth;
+  location /oauth2/ {
+    proxy_pass       http://oauth2-proxy:4180;
+    proxy_set_header Host                    $host;
+    proxy_set_header X-Real-IP               $remote_addr;
+    proxy_set_header X-Forwarded-Uri         $request_uri;
+    proxy_set_header X-Auth-Request-Redirect $request_uri;
+  }

-  # On 401, redirect to the sign_in page via a named location
-  # This ensures a proper 302 redirect that browsers will follow
-  error_page 401 = @oauth2_signin;
+  location = /oauth2/auth {
+    proxy_pass       http://oauth2-proxy:4180;
+    proxy_set_header Host             $host;
+    proxy_set_header X-Real-IP        $remote_addr;
+    proxy_set_header X-Forwarded-Uri  $request_uri;
+    # nginx auth_request includes headers but not body
+    proxy_set_header Content-Length   "";
+    proxy_pass_request_body           off;
+  }

  location / {
+    auth_request /oauth2/auth;
+    error_page 401 = @oauth2_signin;
+
+    # pass information via X-User and X-Email headers to backend,
+    # requires running with --set-xauthrequest flag
+    auth_request_set $user   $upstream_http_x_auth_request_user;
+    auth_request_set $email  $upstream_http_x_auth_request_email;
+    proxy_set_header X-User  $user;
+    proxy_set_header X-Email $email;
+
    proxy_pass http://httpbin/;
+    # or "root /path/to/site;" or "fastcgi_pass ..." etc
  }

-  # Named location for OAuth2 sign-in redirect
-  # Returns a proper 302 that works with --skip-provider-button
+  # Named location for handling OAuth2 sign-in redirects
+  # This ensures the browser receives a proper 302 redirect that it will follow
  location @oauth2_signin {
-    return 302 http://oauth2-proxy.localtest.me:8080/oauth2/sign_in?rd=$scheme://$host$request_uri;
-  }
-
-  # auth_request must be a URI so this allows an internal path to then proxy to
-  # the real auth_request path.
-  # The trailing /'s are required so that nginx strips the prefix before proxying.
-  location /internal-auth/ {
-    internal; # Ensure external users can't access this path
-
-    # Make sure the OAuth2 Proxy knows where the original request came from.
-    proxy_set_header Host       $host;
-    proxy_set_header X-Real-IP  $remote_addr;
-    proxy_set_header X-Forwarded-Uri $request_uri;
-
-    proxy_pass http://oauth2-proxy:4180/;
+    return 302 /oauth2/sign_in?rd=$scheme://$http_host$request_uri;
  }
 }
--- a/contrib/local-environment/oauth2-proxy-nginx.cfg
+++ b/contrib/local-environment/oauth2-proxy-nginx.cfg
@ -9,7 +9,7 @@ whitelist_domains=[".localtest.me"] # Required to allow redirection back to orig
 # dex provider
 client_secret="b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK"
 client_id="oauth2-proxy"
-redirect_url="http://oauth2-proxy.localtest.me:4180/oauth2/callback"
+redirect_url="http://oauth2-proxy.localtest.me:8080/oauth2/callback"

 oidc_issuer_url="http://dex.localtest.me:5556/dex"
 provider="oidc"
--- a/docs/docs/installation.md
+++ b/docs/docs/installation.md
@ -5,7 +5,7 @@ title: Installation

 1.  Choose how to deploy:

-    a. Using a [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.15.1`)
+    a. Using a [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.15.2`)

    b. Using Go to install the latest release
    ```bash
--- a/docs/package.json
+++ b/docs/package.json
@ -42,5 +42,8 @@
  },
  "engines": {
    "node": ">=18.0"
+  },
+  "overrides" : {
+    "webpackbar" : "^7.0.0"
  }
 }
--- a/docs/versioned_docs/version-7.15.x/installation.md
+++ b/docs/versioned_docs/version-7.15.x/installation.md
@ -5,7 +5,7 @@ title: Installation

 1.  Choose how to deploy:

-    a. Using a [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.15.1`)
+    a. Using a [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.15.2`)

    b. Using Go to install the latest release
    ```bash