EXECUTIVE SUMMARY:
CVE-2026-40574 with a CVSS score of 8.5 is a vulnerability in OAuth2 Proxy that enables an attacker to bypass authorization checks via malformed multi-@ email claims. Specifically, this issue affects OAuth2 Proxy deployments that rely on email_domain restrictions and accept email claim values from identity providers or claim mappings that do not strictly enforce normal email syntax. An attacker can exploit this vulnerability by authenticating with an email claim such as [[email protected]@company.com], which satisfies an allowed domain check despite not being a valid email address. This allows an unauthenticated attacker to access protected resources, resulting in a significant business impact and consequences of data confidentiality and integrity loss. Prerequisites for exploitation include a self-hosted or custom OIDC environment with federated setups where unexpected claim values can reach oauth2-proxy, and the attacker must have a basic understanding of OAuth2 Proxy configuration and email claim syntax.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-40574 with a CVSS score of 8.5 is a vulnerability in OAuth2 Proxy that enables an attacker to bypass authorization checks via malformed multi-@ email claims. Specifically, this issue affects OAuth2 Proxy deployments that rely on email_domain restrictions and accept email claim values from identity providers or claim mappings that do not strictly enforce normal email syntax. An attacker can exploit this vulnerability by authenticating with an email claim such as [[email protected]@company.com], which satisfies an allowed domain check despite not being a valid email address. This allows an unauthenticated attacker to access protected resources, resulting in a significant business impact and consequences of data confidentiality and integrity loss. Prerequisites for exploitation include a self-hosted or custom OIDC environment with federated setups where unexpected claim values can reach oauth2-proxy, and the attacker must have a basic understanding of OAuth2 Proxy configuration and email claim syntax.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update OAuth2 Proxy to version 7.15.2 or later.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-c5c4-8r6x-56w3
https://github.com/advisories/GHSA-pxq7-h93f-9jrg