Update dependency oauth2-proxy to v7.15.2

[renovate]

This PR contains the following updates:

Package	Update	Change
oauth2-proxy	patch	7.15.1 → 7.15.2

---

Release Notes

oauth2-proxy/oauth2-proxy (oauth2-proxy)

v7.15.2

Compare Source

Release Highlights

• 🔵 Golang version upgrade to v1.25.9
  • Upgrade of all dependencies to their latest versions
  • CVE-2026-34986
  • CVE-2026-32281
  • CVE-2026-32289
  • CVE-2026-32288
  • CVE-2026-32280
  • CVE-2026-32282
  • CVE-2026-32283
• 🕵️‍♀️ Vulnerabilities have been addressed

Important Notes

We have had security audits performed on OAuth2 Proxy in the past couple of weeks and as a result we have fixed
several CRITICAL vulnerabilities.

The security vulnerabilities include multiple authentication bypasses and a potential session fixation attack.
For more details and to identify if you are effects, we urge all users of OAuth2 Proxy to read the security
disclosures.

• (Critical) GHSA-5hvv-m4w4-gf6v fix: health check user-agent authentication bypass
• (Critical) GHSA-7x63-xv5r-3p2x fix: authentication bypass via X-Forwarded-Uri header spoofing
• (High) GHSA-pxq7-h93f-9jrg fix: fragment evaluation as part of the allowed routes
• (Moderate) GHSA-c5c4-8r6x-56w3 fix: email validation bypass via malformed multi-@​ email claims

Furthermore, for improving the security of OAuth2 Proxy we introduced a new flag --trusted-proxy-ip that allows users
to explicitly specify trusted reverse proxy IPs for the X-Forwarded-* headers. This is an important step to prevent
potential header spoofing attacks and to ensure that OAuth2 Proxy only trusts headers from known and trusted sources.
We highly recommend users to review their deployment architecture and consider using this flag to enhance the security
of their OAuth2 Proxy instances. Check the docs for more details: https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#proxy-options

Furthermore, we want to thank everyone who contributed to the audits and reported potential issues to make open source
software like OAuth2 Proxy more secure for everyone.

Breaking Changes

Changes since v7.15.1

• #​3411 chore(deps): update gomod dependencies (@​tuunit)
• #​3333 fix: invalidate session on fatal OAuth2 refresh errors (@​frhack)
• GHSA-f24x-5g9q-753f fix: clear session cookie at beginning of signinpage handler (@​fnoehWM / @​bella-WI / @​tuunit)
• GHSA-5hvv-m4w4-gf6v fix: health check user-agent authentication bypass (@​tuunit)
• GHSA-7x63-xv5r-3p2x fix: authentication bypass via X-Forwarded-Uri header spoofing (@​tuunit)
• GHSA-pxq7-h93f-9jrg fix: fragment evaluation as part of the allowed routes (@​tuunit)
• GHSA-c5c4-8r6x-56w3 fix: email validation bypass via malformed multi-@​ email claims (@​tuunit)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.