Release notes from oauth2-proxy

v7.15.2

2026-04-14T11:24:35Z

Release Highlights

🔵 Golang version upgrade to v1.25.9
- Upgrade of all dependencies to their latest versions
- CVE-2026-34986
- CVE-2026-32281
- CVE-2026-32289
- CVE-2026-32288
- CVE-2026-32280
- CVE-2026-32282
- CVE-2026-32283
🕵️‍♀️ Vulnerabilities have been addressed

Important Notes

We have had security audits performed on OAuth2 Proxy in the past couple of weeks and as a result we have fixed
several CRITICAL vulnerabilities.

The security vulnerabilities include multiple authentication bypasses and a potential session fixation attack.
For more details and to identify if you are effects, we urge all users of OAuth2 Proxy to read the security
disclosures.

(Critical) GHSA-5hvv-m4w4-gf6v fix: health check user-agent authentication bypass
(Critical) GHSA-7x63-xv5r-3p2x fix: authentication bypass via X-Forwarded-Uri header spoofing
(High) GHSA-pxq7-h93f-9jrg fix: fragment evaluation as part of the allowed routes
(Moderate) GHSA-c5c4-8r6x-56w3 fix: email validation bypass via malformed multi-@ email claims

Furthermore, for improving the security of OAuth2 Proxy we introduced a new flag --trusted-proxy-ip that allows users
to explicitly specify trusted reverse proxy IPs for the X-Forwarded-* headers. This is an important step to prevent
potential header spoofing attacks and to ensure that OAuth2 Proxy only trusts headers from known and trusted sources.
We highly recommend users to review their deployment architecture and consider using this flag to enhance the security
of their OAuth2 Proxy instances. Check the docs for more details: https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#proxy-options

Furthermore, we want to thank everyone who contributed to the audits and reported potential issues to make open source
software like OAuth2 Proxy more secure for everyone.

Breaking Changes

Changes since v7.15.1

#3411 chore(deps): update gomod dependencies (@tuunit)
#3333 fix: invalidate session on fatal OAuth2 refresh errors (@frhack)
GHSA-f24x-5g9q-753f fix: clear session cookie at beginning of signinpage handler (@fnoehWM / @bella-WI / @tuunit)
GHSA-5hvv-m4w4-gf6v fix: health check user-agent authentication bypass (@tuunit)
GHSA-7x63-xv5r-3p2x fix: authentication bypass via X-Forwarded-Uri header spoofing (@tuunit)
GHSA-pxq7-h93f-9jrg fix: fragment evaluation as part of the allowed routes (@tuunit)
GHSA-c5c4-8r6x-56w3 fix: email validation bypass via malformed multi-@ email claims (@tuunit)

v7.15.1

2026-03-23T14:55:28Z

Release Highlights

🐛 Squashed some bugs
🕵️‍♀️ Vulnerabilities have been addressed
- CVE-2026-33186
  OAuth2 Proxy was not impacted by this vulnerability as it isn't in the path of execution

Important Notes

Breaking Changes

Changes since v7.15.0

#3382 chore(deps): update gomod and golangci/golangci-lint to v2.11.4 (@tuunit)
#3374 fix: handle Unix socket RemoteAddr in IP resolution (@H1net)
#3381 fix: do not log error for backend logout 204 (@artificiosus)
#3327 fix: improve logging when session refresh token is missing (@yosri-brh)
#2767 fix: propagate errors during route building (@sybereal)

v7.15.0

2026-03-18T17:19:09Z

Release Highlights

🔒 OIDC JWT signing algorithms can now be configured
🍪 CSRF cookie improvements (SameSite option, proper expiration validation)
🧪 Configuration validation flag: --config-test
🔌 Unix socket file mode support
👤 Session state can now be extend with arbitrary claims from ID Token and upstream IDP user profiles endpoint
- This opens the door for multiple features like:
- Additional arbitrary header values for any claims your IDP provides
- Extended OAuth2 Proxy UserInfo endpoint with all additional claims
- Read the docs here

Important Notes

CSRF cookie validation now correctly uses CSRFExpire instead of Expire. If you relied on the previous behavior, review your session timeout configuration.
Check the [documentation(https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#cookie-options) for cookie-csrf-expire.

Breaking Changes

Changes since v7.14.3

#3352 fix: backend logout URL call on sign out (#3172)(@vsejpal)
#3332 ci: distribute windows binary with .exe extension (@igitur)
#2685 feat: allow arbitrary claims from the IDToken and IdentityProvider UserInfo endpoint to be added to the session state (@vegetablest)
#3278 feat: possibility to inject id_token in redirect url during sign out (@albanf)
#2851 feat: add support for specifying allowed OIDC JWT signing algorithms (#2753) (@andoks / @tuunit)
#3369 fix: use CSRFExpire instead of Expire for CSRF cookie validation (@Br1an67)
#3365 fix: filter empty strings from allowed groups (@Br1an67)
#3338 feat: add --config-test flag for validating configuration (@MayorFaj)
#3347 feat: add same site option for csrf cookies (@jvnoije)
#3376 feat: allow setting unix socket file mode when declaring listener (@Tristan971 / @tuunit)

v7.14.3

2026-02-26T14:11:19Z

Release Highlights

🔵 Go1.25.7 and upgrade of dependencies to latest versions (@tuunit)
- Fixes CVE-2025-68121
🐛 Bug fixes
- Allow Redis URL parameters to configure username, password and max idle connection timeout if the matching configuration is empty.

Important Notes

We improved our supply chain security by added additional checks to prevent potential command injection in the publish release workflow and to ensure that it can only be triggered from branches originating in the local repository. This potential issue was reported by automated systems as well as a couple of security researchers, and we want to thank everyone for their diligence in looking out for the security of the project. Especially Aastha Aggarwal for her detailed report and follow-up. @Aastha2602

Breaking Changes

Changes since v7.14.2

#3183 fix: allow URL parameters to configure username, password and max idle connection timeout if the matching configuration is empty. (@Richard87)

v7.14.2

2026-01-18T00:28:25Z

Release Highlights

Revert AuthOnly endpoint change from v7.14.1 that caused issues when using skip-provider-button enabled

Important Notes

This release reverts the change made in v7.14.1 that caused issues when using the skip-provider-button enabled. Now, when a session does not exist, the AuthOnly endpoint will send a 401 status code as expected instead of a 302 redirect. And instead we extended the documentation to clarify the behavior when using nginx with auth_request and skip-provider-button and how to properly configure redirects for browser and API routes.

Excerpt from v7.14.0 release letter:

This release introduces a breaking change for Alpha Config users and moves us significantly
closer to removing legacy configuration parameters, making the codebase of OAuth2 Proxy more
future proof and extensible.

From v7.14.0 onward, header injection sources must be explicitly nested. If you
previously relied on squashed fields, update to the new structure before upgrading:

# before v7.14.0
injectRequestHeaders:
- name: X-Forwarded-User
  values:
  - claim: user
- name: X-Custom-Secret-header
  values:
  - value: my-super-secret

# v7.14.0 and later
injectRequestHeaders:
- name: X-Forwarded-User
  values:
  - claimSource:
      claim: user
- name: X-Custom-Secret-header
  values:
  - secretSource:
      value: my-super-secret

Furthermore, Alpha Config now fully supports configuring the Server struct using YAML.

// Server represents the configuration for the Proxy HTTP(S) configuration.
type Server struct {
    // BindAddress is the address on which to serve traffic.
    BindAddress string `yaml:"bindAddress,omitempty"`

    // SecureBindAddress is the address on which to serve secure traffic.
    SecureBindAddress string `yaml:"secureBindAddress,omitempty"`

    // TLS contains the information for loading the certificate and key for the
    // secure traffic and further configuration for the TLS server.
    TLS *TLS `yaml:"tls,omitempty"`
}

// TLS contains the information for loading a TLS certificate and key
// as well as an optional minimal TLS version that is acceptable.
type TLS struct {
    // Key is the TLS key data to use.
    Key *SecretSource `yaml:"key,omitempty"`
    // Cert is the TLS certificate data to use.
    Cert *SecretSource `yaml:"cert,omitempty"`
    // MinVersion is the minimal TLS version that is acceptable.
    MinVersion string `yaml:"minVersion,omitempty"`
    // CipherSuites is a list of TLS cipher suites that are allowed.
    CipherSuites []string `yaml:"cipherSuites,omitempty"`
}

More about how to use Alpha Config can be found in the documentation.

Example Alpha configuration: https://github.com/oauth2-proxy/oauth2-proxy/blob/955ab6b/contrib/local-environment/oauth2-proxy-alpha-config.yaml

We are committed to Semantic Versioning and usually avoid breaking changes without a major version release.
Advancing Alpha Config toward its Beta stage required this exception, and even for the Alpha Config we try
to keep breaking changes in v7 to a minium. Thank you for understanding the need for this step to prepare
the project for future maintainability and future improvements like structured logging.

Breaking Changes

Check release notes for v7.14.0

Changes since v7.14.1

#3314 revert: fix: skip provider button auth only redirect (#3309) (@StefanMarkmann / @tuunit)
#3315 docs: clarify browser vs API routes for nginx auth_request redirects (@StefanMarkmann)

v7.14.1

2026-01-17T16:30:46Z

Release Highlights

🔵 Go1.25.6 and upgrade of dependencies to latest versions
🐛 Bug fixes
- AuthOnly now starts the auth flow and send status code 302 if no session exists and skip-provider-button is true
- Fixed static upstream validation issue due to incorrect defaults

Important Notes

Excerpt from v7.14.0 release letter.

https://github.com/oauth2-proxy/oauth2-proxy/releases/v7.14.0

From v7.14.0 onward, header injection sources must be explicitly nested. If you
previously relied on squashed fields, update to the new structure before upgrading:

# before v7.14.0
injectRequestHeaders:
- name: X-Forwarded-User
  values:
  - claim: user
- name: X-Custom-Secret-header
  values:
  - value: my-super-secret

# v7.14.0 and later
injectRequestHeaders:
- name: X-Forwarded-User
  values:
  - claimSource:
      claim: user
- name: X-Custom-Secret-header
  values:
  - secretSource:
      value: my-super-secret

Furthermore, Alpha Config now fully supports configuring the Server struct using YAML.

// Server represents the configuration for the Proxy HTTP(S) configuration.
type Server struct {
    // BindAddress is the address on which to serve traffic.
    BindAddress string `yaml:"bindAddress,omitempty"`

    // SecureBindAddress is the address on which to serve secure traffic.
    SecureBindAddress string `yaml:"secureBindAddress,omitempty"`

    // TLS contains the information for loading the certificate and key for the
    // secure traffic and further configuration for the TLS server.
    TLS *TLS `yaml:"tls,omitempty"`
}

// TLS contains the information for loading a TLS certificate and key
// as well as an optional minimal TLS version that is acceptable.
type TLS struct {
    // Key is the TLS key data to use.
    Key *SecretSource `yaml:"key,omitempty"`
    // Cert is the TLS certificate data to use.
    Cert *SecretSource `yaml:"cert,omitempty"`
    // MinVersion is the minimal TLS version that is acceptable.
    MinVersion string `yaml:"minVersion,omitempty"`
    // CipherSuites is a list of TLS cipher suites that are allowed.
    CipherSuites []string `yaml:"cipherSuites,omitempty"`
}

More about how to use Alpha Config can be found in the documentation.

Example Alpha configuration: https://github.com/oauth2-proxy/oauth2-proxy/blob/955ab6b/contrib/local-environment/oauth2-proxy-alpha-config.yaml

Breaking Changes

Changes since v7.14.0

#3309 fix: Return 302 redirect from AuthOnly endpoint when skip-provider-button is true (@StefanMarkmann)
#3302 fix: static upstreams failing validation due to passHostHeader and proxyWebSockets defaults being set incorrectly (@sourava01 / @tuunit)
#3312 chore(deps): upgrade to go1.25.6 and latest dependencies (@tuunit)

v7.14.0

2026-01-17T10:35:02Z

Release Highlights

🕵️‍♀️ Vulnerabilities have been addressed
🗂️ Major Alpha Config YAML parsing revamped for better extensibility and preparing v8
🐛 Squashed some bugs

Important Notes

From v7.14.0 onward, header injection sources must be explicitly nested. If you
previously relied on squashed fields, update to the new structure before upgrading:

# before v7.14.0
injectRequestHeaders:
- name: X-Forwarded-User
  values:
  - claim: user
- name: X-Custom-Secret-header
  values:
  - value: my-super-secret

# v7.14.0 and later
injectRequestHeaders:
- name: X-Forwarded-User
  values:
  - claimSource:
      claim: user
- name: X-Custom-Secret-header
  values:
  - secretSource:
      value: my-super-secret

Furthermore, Alpha Config now fully supports configuring the Server struct using YAML.

// Server represents the configuration for the Proxy HTTP(S) configuration.
type Server struct {
    // BindAddress is the address on which to serve traffic.
    BindAddress string `yaml:"bindAddress,omitempty"`

    // SecureBindAddress is the address on which to serve secure traffic.
    SecureBindAddress string `yaml:"secureBindAddress,omitempty"`

    // TLS contains the information for loading the certificate and key for the
    // secure traffic and further configuration for the TLS server.
    TLS *TLS `yaml:"tls,omitempty"`
}

// TLS contains the information for loading a TLS certificate and key
// as well as an optional minimal TLS version that is acceptable.
type TLS struct {
    // Key is the TLS key data to use.
    Key *SecretSource `yaml:"key,omitempty"`
    // Cert is the TLS certificate data to use.
    Cert *SecretSource `yaml:"cert,omitempty"`
    // MinVersion is the minimal TLS version that is acceptable.
    MinVersion string `yaml:"minVersion,omitempty"`
    // CipherSuites is a list of TLS cipher suites that are allowed.
    CipherSuites []string `yaml:"cipherSuites,omitempty"`
}

More about how to use Alpha Config can be found in the documentation.

Example Alpha configuration: https://github.com/oauth2-proxy/oauth2-proxy/blob/955ab6b/contrib/local-environment/oauth2-proxy-alpha-config.yaml

Breaking Changes

Alpha Config: header injection no longer supports squashed claim/secret sources; they must now be set explicitly (see example above).

Changes since v7.13.0

#2628 feat(structured config): revamp of yaml parsing using mapstructure decoder and custom decoders (@tuunit)
#3197 fix: NewRemoteKeySet is not using DefaultHTTPClient (@rsrdesarrollo / @tuunit)
#3292 chore(deps): upgrade gomod and bump to golang v1.25.5 (@tuunit)
#3304 fix: added conditional so default is not always set and env vars are honored fixes 3303 (@pixeldrew)
#3264 fix: more aggressively truncate logged access_token (@MartinNowak / @tuunit)
#3267 fix: Session refresh handling in OIDC provider (@gysel)
#3290 fix: WebSocket proxy to respect PassHostHeader setting (@UnsignedLong)

v7.13.0

2025-11-08T13:42:46Z

Release Highlights

🕵️‍♀️ Vulnerabilities have been addressd
🐛 Squashed some bugs

Important Notes

By default all specified headers will now be normalized, meaning that both capitalization and the use of underscores (_) versus dashes (-) will be ignored when matching headers to be stripped. For example, both X-Forwarded-For and X_Forwarded-for will now be treated as equivalent and stripped away.

Please read our security advisory for CVE-2025-64484: GHSA-vjrc-mh2v-45x6

Furthermore, we now use the access_token for validating refreshed sessions in OIDC providers instead of the id_token. This is to align with the OIDC specification which states that id_tokens are not guaranteed to be issued when using refresh tokens. In future releases we might remove the id_token validation for sessions completely.

Breaking Changes

N/A

Changes since v7.12.0

#3228 fix: use GetSecret() in ticket.go makeCookie to respect cookie-secret-file (@stagswtf)
#3244 chore(deps): upgrade to latest go1.25.3 (@tuunit)
#3238 chore: Replace pkg/clock with narrowly targeted stub clocks (@dsymonds)
#3237 - feat: add option to use organization id for preferred username in Google Provider (@pixeldrew)
GHSA-vjrc-mh2v-45x6 fix: request header smuggling by stripping all normalized header variants (@tuunit)
#1933 fix: validation of refreshed sessions using the access_token in the OIDC provider (@gysel / @tuunit)
#2841 feat: add allowed_* constraint option to proxy endpoint query string (@jacobalberty)

v7.12.0

2025-08-19T06:57:40Z

Release Highlights

🕵️‍♀️ Vulnerabilities have been addressed
- CVE-2025-47907
🦸 Support for Cidaas IDP
🐛 Squashed some bugs

Important Notes

Breaking Changes

Changes since v7.11.0

#2273 feat: add Cidaas provider (@Bibob7, @Teko012)
#3166 chore(dep): upgrade to latest golang 1.24.6 (@tuunit)
#3156 feat: allow disable-keep-alives configuration for upstream (@jet-go)
#3150 fix: Gitea team membership (@MagicRB, @tuunit)

v7.11.0

2025-07-30T18:17:50Z

Release Highlights

🏢 Support for SourceHut (sr.ht) provider
🔍️ Support for more fine-grained control over the google admin-sdk scopes and optional google groups
🐛 Squashed some bugs

Important Notes

Firstly, fixed critical vulnerability where skip_auth_routes regex patterns matched against the full request URI (path + query parameters) instead of just the path, allowing authentication bypass attacks.

Secondly, fixed double-escaping of $ in regexes for Alpha Config upstreams path and rewriteTargets:

# Before
upstreams:
  - id: web
    path: ^/(.*)$$
    rewriteTarget: /$$1

# After
upstreams:
  - id: web
    path: ^/(.*)$
    rewriteTarget: /$1

Breaking Changes

If your configuration relies on matching query parameters in skip_auth_routes patterns, you must update your regex patterns to match paths only. Review all skip_auth_routes entries for potential impact.

Example of affected configuration:

# This pattern previously matched both:
# - /api/foo/status (intended)
# - /api/private/sensitive?path=/status (bypass - now fixed)
skip_auth_routes: ["^/api/.*/status"]

For detailed information, migration guidance, and security implications, see the security advisory.

Changes since v7.10.0

#2615 feat(cookies): add option to set a limit on the number of per-request CSRF cookies oauth2-proxy sets (@bh-tt)
#2605 fix: show login page on broken cookie (@Primexz)
#2743 feat: allow use more possible google admin-sdk api scopes (@BobDu)
#2359 feat: add SourceHut (sr.ht) provider(@bitfehler)
#2524 fix: regex substitution for $ signs in upstream path handling before running envsubst (@dashkan / @tuunit)
#3104 feat(cookie): add feature support for cookie-secret-file (@sandy2008)
#3055 feat: support non-default authorization request response mode also for OIDC providers (@stieler-it)
#3138 feat: make google_groups argument optional when using google provider (@sourava01)
#3093 feat: differentiate between "no available key" and error for redis sessions (@nobletrout)
GHSA-7rh7-c77v-6434 fix: skip_auth_routes bypass through query parameter inclusion