CVE-2026-40574
Authorization Bypass in OAuth2 Proxy Email Domain Enforcement
Publication date: 2026-04-21
Last updated on: 2026-04-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oauth2_proxy_project | oauth2_proxy | to 7.15.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40574 is an authorization bypass vulnerability in OAuth2 Proxy versions prior to 7.15.2 that affects the email_domain enforcement feature.
The vulnerability occurs because OAuth2 Proxy accepts email claim values from identity providers or claim mappings that do not strictly enforce normal email syntax. This allows an attacker to use a malformed email address containing multiple '@' characters, such as [email protected]@company.com, to bypass domain validation checks.
As a result, the attacker can authenticate as if they belong to an allowed email domain (e.g., company.com) even though the email claim is not a valid email address.
This issue only affects deployments that rely on email_domain restrictions and accept email claims from identity providers that do not enforce proper email formatting.
The vulnerability is fixed in OAuth2 Proxy version 7.15.2.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass authorization controls based on email domain restrictions.
An attacker could authenticate as a user from a trusted domain without having a valid email address from that domain, potentially gaining unauthorized access to protected resources.
The impact includes a high risk to confidentiality and integrity of the system, as unauthorized users may access sensitive information or perform actions reserved for authorized users.
The vulnerability has a CVSS v3.1 base score of 6.8, indicating moderate severity, with a network attack vector, high attack complexity, low privileges required, no user interaction needed, and no impact on availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from OAuth2 Proxy accepting malformed email claim values that bypass the email_domain enforcement. Detection involves identifying if your OAuth2 Proxy deployment is using the email_domain restriction feature and whether it accepts email claims that do not strictly follow normal email syntax.
Since the issue is related to malformed email addresses containing multiple '@' characters (e.g., [email protected]@company.com), you can monitor logs or authentication requests for such suspicious email claim patterns.
Commands to detect this might include searching OAuth2 Proxy logs or identity provider logs for email claims with multiple '@' symbols or unusual email formats.
- grep -E '@.*@' /path/to/oauth2-proxy/logs/access.log
- jq '.email' /path/to/authentication/claims.json | grep '@.*@'
These commands help identify email claims that contain more than one '@' character, which could indicate attempts to exploit this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade OAuth2 Proxy to version 7.15.2 or later, where this vulnerability is fixed.
As an immediate workaround before upgrading, ensure that your identity providers do not emit malformed or attacker-controlled email claim values. This means enforcing strict validation of email syntax on the identity provider side or claim mappings.
Additionally, review and tighten your email_domain enforcement configuration to reject any email claims that do not conform to standard email formats.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to bypass authorization checks by exploiting improper email domain validation, potentially leading to unauthorized access to protected resources.
Such unauthorized access could result in exposure or modification of sensitive personal or protected data, which may violate compliance requirements under standards like GDPR or HIPAA that mandate strict access controls and data protection.
Therefore, if exploited in environments subject to these regulations, this vulnerability could undermine compliance by compromising confidentiality and integrity of sensitive information.
Mitigation by upgrading to OAuth2 Proxy version 7.15.2 or later is essential to maintain compliance and prevent potential regulatory violations.