{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40574", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-14T13:24:29.474Z", "datePublished": "2026-04-21T16:32:34.537Z", "dateUpdated": "2026-04-21T20:37:28.072Z"}, "containers": {"cna": {"title": "OAuth2 Proxy has an Authorization Bypass in Email Domain Validation via Malformed Multi-@ Email Claims", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-c5c4-8r6x-56w3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-c5c4-8r6x-56w3"}], "affected": [{"vendor": "oauth2-proxy", "product": "oauth2-proxy", "versions": [{"version": "< 7.15.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:32:34.537Z"}, "descriptions": [{"lang": "en", "value": "OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Prior to 7.15.2, an authorization bypass exists in OAuth2 Proxy as part of the email_domain enforcement option. An attacker may be able to authenticate with an email claim such as attacker@evil.com@company.com and satisfy an allowed domain check for company.com, even though the claim is not a valid email address. The issue ONLY affects deployments that rely on email_domain restrictions and accept email claim values from identity providers or claim mappings that do not strictly enforce normal email syntax. This vulnerability is fixed in 7.15.2."}], "source": {"advisory": "GHSA-c5c4-8r6x-56w3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T20:18:57.843784Z", "id": "CVE-2026-40574", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:37:28.072Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40574", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-21T20:18:57.843784Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:20:47.257Z"}}], "cna": {"title": "OAuth2 Proxy has an Authorization Bypass in Email Domain Validation via Malformed Multi-@ Email Claims", "source": {"advisory": "GHSA-c5c4-8r6x-56w3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "oauth2-proxy", "product": "oauth2-proxy", "versions": [{"status": "affected", "version": "< 7.15.2"}]}], "references": [{"url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-c5c4-8r6x-56w3", "name": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-c5c4-8r6x-56w3", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Prior to 7.15.2, an authorization bypass exists in OAuth2 Proxy as part of the email_domain enforcement option. An attacker may be able to authenticate with an email claim such as attacker@evil.com@company.com and satisfy an allowed domain check for company.com, even though the claim is not a valid email address. The issue ONLY affects deployments that rely on email_domain restrictions and accept email claim values from identity providers or claim mappings that do not strictly enforce normal email syntax. This vulnerability is fixed in 7.15.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:32:34.537Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40574", "state": "PUBLISHED", "dateUpdated": "2026-04-21T20:37:28.072Z", "dateReserved": "2026-04-14T13:24:29.474Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T16:32:34.537Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Prior to 7.15.2, an authorization bypass exists in OAuth2 Proxy as part of the email_domain enforcement option. An attacker may be able to authenticate with an email claim such as attacker@evil.com@company.com and satisfy an allowed domain check for company.com, even though the claim is not a valid email address. The issue ONLY affects deployments that rely on email_domain restrictions and accept email claim values from identity providers or claim mappings that do not strictly enforce normal email syntax. This vulnerability is fixed in 7.15.2."}], "id": "CVE-2026-40574", "lastModified": "2026-04-22T21:24:26.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T17:16:55.730", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-c5c4-8r6x-56w3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.15.2)"}}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "oauth2-proxy", "source": "cna", "vendor": "oauth2-proxy"}, "product": "oauth2_proxy", "vendor": "oauth2_proxy_project"}], "analysis": {"en": {"generated_at": "2026-04-21T22:39:29.949930+00:00", "value": {"mitigation_remediation": ["Apply the vendor supplied patch by upgrading OAuth2 Proxy to version 7.15.2 or later.", "If an upgrade is not immediately possible, disable the email_domain enforcement option or enforce strict email syntax validation on all identity provider claim mappings to reject malformed claims.", "Continuously monitor authentication logs for anomalous email claims containing multiple @ characters and review access patterns for indicators of compromise."], "summary": {"action": "Immediate Patch", "impact": "Authorization Bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts deployments of OAuth2 Proxy versions earlier than 7.15.2 that utilize the email_domain restriction feature and accept email claim values from identity providers or mapping rules that do not enforce strict email syntax. All affected releases are identified by the vendor product oauth2-proxy:oauth2-proxy and must be upgraded to 7.15.2 or later.", "description_and_impact": "A flaw in OAuth2 Proxy\u2019s email domain enforcement allows an attacker to craft an email claim containing multiple @ characters, such as attacker@evil.com@company.com, that satisfies the allowed domain check for company.com while the claim is not a valid email address. The weakness is rooted in improper validation of email format and permits unauthorized access to resources protected by OAuth2 Proxy, potentially compromising confidentiality and integrity of the protected services. The identified weakness falls under CWE-863, representing an Authorization Bypass via Reverse Map.", "risk_and_exploitability": "The CVSS score of 6.8 indicates moderate severity, while no EPSS score is available, thus the exploitation probability is unknown but the absence of a disclosed exploit mitigates immediate risk. The vulnerability was not included in CISA\u2019s KEV catalog. The likely attack path involves an adversary manipulating the email claim in an OAuth token to pass the domain check, granting unauthorized authorization over resources that rely solely on the email_domain filter for access control."}}}}, "created": "2026-04-21T22:45:16.059048+00:00", "updated": "2026-04-22T11:46:10.912599+00:00", "vendors": ["oauth2_proxy_project", "oauth2_proxy_project$PRODUCT$oauth2_proxy"]}