CVE-2026-40574
MEDIUM
GHSA-c5c4-8r6x-56w3
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
DescriptionNVD
Impact
An authorization bypass exists in OAuth2 Proxy as part of the email_domain enforcement option. An attacker may be able to authenticate with an email claim such as [email protected]@company.com and satisfy an allowed domain check for company.com, even though the claim is not a valid email address.
The issue ONLY affects deployments that rely on email_domain restrictions and accept email claim values from identity providers or claim mappings that do not strictly enforce normal email syntax. The practical risk ONLY exists in self-hosted or custom OIDC environments and federated setups where unexpected claim values can reach oauth2-proxy. Standard hosted providers that enforce valid email formatting ARE NOT effected.
Patches
Users should upgrade to v7.15.2 or later once available.
Workarounds
The most effective workaround is to ensure the configured identity provider cannot emit malformed or attacker-controlled email claim values.
AnalysisAI
An authorization bypass exists in OAuth2 Proxy as part of the email_domain enforcement option. An attacker may be able to authenticate with an email claim such as [email protected]@company.com and satisfy an allowed domain check for company.com, even though the claim is not a valid email address. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today