Skip to main content

Red Hat CVE-2026-40574

MEDIUM
Incorrect Authorization (CWE-863)
2026-04-15 https://github.com/oauth2-proxy/oauth2-proxy GHSA-c5c4-8r6x-56w3
6.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.8 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Red Hat
6.8 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch released
Apr 15, 2026 - 20:30 nvd
Patch available
CVE Published
Apr 15, 2026 - 19:23 nvd
MEDIUM 6.8

DescriptionGitHub Advisory

Impact

An authorization bypass exists in OAuth2 Proxy as part of the email_domain enforcement option. An attacker may be able to authenticate with an email claim such as attacker@evil.com@company.com and satisfy an allowed domain check for company.com, even though the claim is not a valid email address.

The issue ONLY affects deployments that rely on email_domain restrictions and accept email claim values from identity providers or claim mappings that do not strictly enforce normal email syntax. The practical risk ONLY exists in self-hosted or custom OIDC environments and federated setups where unexpected claim values can reach oauth2-proxy. Standard hosted providers that enforce valid email formatting ARE NOT effected.

Patches

Users should upgrade to v7.15.2 or later once available.

Workarounds

The most effective workaround is to ensure the configured identity provider cannot emit malformed or attacker-controlled email claim values.

Analysis

Impact

An authorization bypass exists in OAuth2 Proxy as part of the email_domain enforcement option. An attacker may be able to authenticate with an email claim such as attacker@evil.com@company.com and satisfy an allowed domain check for company.com, even though the claim is not a valid email address.

The issue ONLY affects deployments that rely on email_domain restrictions and accept email claim values from identity providers or claim mappings that do not strictly enforce normal email syntax. The practical risk ONLY exists in self-hosted or custom OIDC environments and federated setups where unexpected claim values can reach oauth2-proxy. Standard hosted providers that enforce valid email formatting ARE NOT effected.

Patches

Users should upgrade to v7.15.2 or later once available.

Workarounds

The most effective workaround is to ensure the configured identity provider cannot emit malformed or attacker-controlled email claim values.

Vendor StatusVendor

Share

CVE-2026-40574 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy