CVE-2026-40574 Overview
OAuth2 Proxy is a widely used reverse proxy that provides authentication using OAuth2 providers. A critical authorization bypass vulnerability exists in versions prior to 7.15.2 as part of the email_domain enforcement option. An attacker may be able to authenticate with a malformed email claim such as attacker@evil.com@company.com and satisfy an allowed domain check for company.com, even though the claim is not a valid email address.
Critical Impact
Attackers can bypass email domain restrictions and gain unauthorized access to protected resources by crafting malicious email claims that exploit improper parsing of the email format.
Affected Products
- OAuth2 Proxy versions prior to 7.15.2
- Deployments using email_domain restrictions
- Configurations accepting email claims from identity providers that do not strictly enforce email syntax
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-40574 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-40574
Vulnerability Analysis
This authorization bypass vulnerability (CWE-863: Incorrect Authorization) stems from improper validation of email addresses in the email_domain enforcement mechanism. The OAuth2 Proxy fails to properly parse and validate email claim formats before performing domain matching, allowing specially crafted email strings to bypass domain restrictions.
The vulnerability specifically affects deployments that rely on email_domain restrictions to limit access based on the user's email domain. When an identity provider or claim mapping does not strictly enforce standard email syntax (RFC 5321/5322), an attacker can exploit this weakness by submitting malformed email claims.
Root Cause
The root cause lies in the insufficient validation logic within the email domain extraction routine. When processing an email claim like attacker@evil.com@company.com, the domain extraction algorithm incorrectly identifies company.com as the email domain instead of properly rejecting the malformed input or correctly parsing it as an invalid email address. This occurs because the parsing logic does not account for the presence of multiple @ symbols in the email string.
Attack Vector
The attack is network-based and requires low privileges (an authenticated session with an identity provider). The attacker must craft a malicious email claim through their identity provider profile or exploit a claim mapping that passes through unsanitized values.
The exploitation requires the following conditions:
- Target deployment uses email_domain restrictions for access control
- Identity provider or claim mapping allows non-standard email formats
- Attacker can register or modify their email claim at the identity provider
The attacker constructs an email in the format attacker@attacker-domain.com@allowed-domain.com. When OAuth2 Proxy parses this email to extract the domain for validation, it incorrectly identifies allowed-domain.com as the domain, matching the allowlist and granting unauthorized access.
Detection Methods for CVE-2026-40574
Indicators of Compromise
- Unusual email addresses in authentication logs containing multiple @ symbols
- Successful authentication events from users with malformed email claims
- Access logs showing users whose email domains should not be permitted by email_domain restrictions
- Identity provider audit logs showing email addresses that do not conform to standard RFC email format
Detection Strategies
- Review OAuth2 Proxy access logs for email addresses containing multiple @ symbols or other non-standard formats
- Implement log analysis rules to flag authentication attempts with malformed email claims
- Cross-reference authenticated user emails against expected domain patterns using strict regex validation
- Monitor for privilege escalation or unauthorized resource access following suspicious authentication events
Monitoring Recommendations
- Enable verbose logging in OAuth2 Proxy to capture full email claim values during authentication
- Set up alerts for authentication events where the email claim contains irregular patterns
- Implement SIEM rules to correlate OAuth2 Proxy authentication logs with subsequent access patterns
- Regularly audit identity provider configurations to ensure email claim validation is properly enforced
How to Mitigate CVE-2026-40574
Immediate Actions Required
- Upgrade OAuth2 Proxy to version 7.15.2 or later immediately
- Review authentication logs for evidence of exploitation attempts using malformed email addresses
- Audit identity provider configurations to ensure strict email format validation
- Consider implementing additional validation at the application layer for email domain enforcement
Patch Information
The vulnerability is fixed in OAuth2 Proxy version 7.15.2. Organizations should upgrade to this version or later as soon as possible. The fix addresses the improper email parsing by enforcing strict email syntax validation before domain extraction.
For detailed patch information and security advisory, see the GitHub Security Advisory.
Workarounds
- Configure identity providers to strictly validate and normalize email addresses before issuing claims
- Implement additional email validation middleware between the identity provider and OAuth2 Proxy
- Use alternative authentication mechanisms that do not rely on email_domain restrictions until patching is complete
- Apply network-level access controls to limit exposure of protected resources while remediation is in progress
# Verify OAuth2 Proxy version after upgrade
oauth2-proxy --version
# Expected output: oauth2-proxy v7.15.2 or higher
# Review logs for potential exploitation attempts
grep -E '@.*@' /var/log/oauth2-proxy/access.log
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
