OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 have a configuration-dependent authentication bypass. Deployments are affected when all of the following are true: Use of "skip_auth_routes" or the legacy "skip_auth_regex"; use of patterns that can be widened by attacker-controlled suffixes, such as "^/foo/.*/bar$" causing potential exposure of "/foo/secret"; and protected upstream applications that interpret "#" as a fragment delimiter or otherwise route the request to the protected base path. In deployments that rely on these settings, an unauthenticated attacker can send a crafted request containing a number sign in the path, including the browser-safe encoded form "%23", so that OAuth2 Proxy matches a public allowlist rule while the backend serves a protected resource. Deployments that do not use these skip-auth options, or that only allow exact public paths with tightly scoped method and path rules, are not affected. A fix has been implemented in version 7.15.2 to normalize request paths more conservatively before skip-auth matching so fragment content does not influence allowlist decisions. Users who cannot upgrade immediately can reduce exposure by tightening or removing "skip_auth_routes" and "skip_auth_regex" rules, especially patterns that use broad wildcards across path segments. Recommended mitigations include replacing broad rules with exact, anchored public paths and explicit HTTP methods; rejecting requests whose path contains "%23" or "#" at the ingress, load balancer, or WAF level; and/or avoiding placing sensitive application paths behind broad "skip_auth_routes" rules.