Executive Summary

CVE-2026-40574 is an authorization bypass vulnerability in OAuth2 Proxy versions prior to 7.15.2 that affects the email_domain enforcement feature.

The vulnerability occurs because OAuth2 Proxy accepts email claim values from identity providers or claim mappings that do not strictly enforce normal email syntax. This allows an attacker to use a malformed email address containing multiple '@' characters, such as [email protected]@company.com, to bypass domain validation checks.

As a result, the attacker can authenticate as if they belong to an allowed email domain (e.g., company.com) even though the email claim is not a valid email address.

This issue only affects deployments that rely on email_domain restrictions and accept email claims from identity providers that do not enforce proper email formatting.

The vulnerability is fixed in OAuth2 Proxy version 7.15.2.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to bypass authorization controls based on email domain restrictions.

An attacker could authenticate as a user from a trusted domain without having a valid email address from that domain, potentially gaining unauthorized access to protected resources.

The impact includes a high risk to confidentiality and integrity of the system, as unauthorized users may access sensitive information or perform actions reserved for authorized users.

The vulnerability has a CVSS v3.1 base score of 6.8, indicating moderate severity, with a network attack vector, high attack complexity, low privileges required, no user interaction needed, and no impact on availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability arises from OAuth2 Proxy accepting malformed email claim values that bypass the email_domain enforcement. Detection involves identifying if your OAuth2 Proxy deployment is using the email_domain restriction feature and whether it accepts email claims that do not strictly follow normal email syntax.

Since the issue is related to malformed email addresses containing multiple '@' characters (e.g., [email protected]@company.com), you can monitor logs or authentication requests for such suspicious email claim patterns.

Commands to detect this might include searching OAuth2 Proxy logs or identity provider logs for email claims with multiple '@' symbols or unusual email formats.

• grep -E '@.*@' /path/to/oauth2-proxy/logs/access.log
• jq '.email' /path/to/authentication/claims.json | grep '@.*@'

These commands help identify email claims that contain more than one '@' character, which could indicate attempts to exploit this vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade OAuth2 Proxy to version 7.15.2 or later, where this vulnerability is fixed.

As an immediate workaround before upgrading, ensure that your identity providers do not emit malformed or attacker-controlled email claim values. This means enforcing strict validation of email syntax on the identity provider side or claim mappings.

Additionally, review and tighten your email_domain enforcement configuration to reject any email claims that do not conform to standard email formats.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to bypass authorization checks by exploiting improper email domain validation, potentially leading to unauthorized access to protected resources.

Such unauthorized access could result in exposure or modification of sensitive personal or protected data, which may violate compliance requirements under standards like GDPR or HIPAA that mandate strict access controls and data protection.

Therefore, if exploited in environments subject to these regulations, this vulnerability could undermine compliance by compromising confidentiality and integrity of sensitive information.

Mitigation by upgrading to OAuth2 Proxy version 7.15.2 or later is essential to maintain compliance and prevent potential regulatory violations.

Useful 0 Not Useful 0