{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40574", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-14T13:24:29.474Z", "datePublished": "2026-04-21T16:32:34.537Z", "dateUpdated": "2026-04-21T20:37:28.072Z"}, "containers": {"cna": {"title": "OAuth2 Proxy has an Authorization Bypass in Email Domain Validation via Malformed Multi-@ Email Claims", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-c5c4-8r6x-56w3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-c5c4-8r6x-56w3"}], "affected": [{"vendor": "oauth2-proxy", "product": "oauth2-proxy", "versions": [{"version": "< 7.15.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:32:34.537Z"}, "descriptions": [{"lang": "en", "value": "OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Prior to 7.15.2, an authorization bypass exists in OAuth2 Proxy as part of the email_domain enforcement option. An attacker may be able to authenticate with an email claim such as attacker@evil.com@company.com and satisfy an allowed domain check for company.com, even though the claim is not a valid email address. The issue ONLY affects deployments that rely on email_domain restrictions and accept email claim values from identity providers or claim mappings that do not strictly enforce normal email syntax. This vulnerability is fixed in 7.15.2."}], "source": {"advisory": "GHSA-c5c4-8r6x-56w3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T20:18:57.843784Z", "id": "CVE-2026-40574", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:37:28.072Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40574", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-21T20:18:57.843784Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:20:47.257Z"}}], "cna": {"title": "OAuth2 Proxy has an Authorization Bypass in Email Domain Validation via Malformed Multi-@ Email Claims", "source": {"advisory": "GHSA-c5c4-8r6x-56w3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "oauth2-proxy", "product": "oauth2-proxy", "versions": [{"status": "affected", "version": "< 7.15.2"}]}], "references": [{"url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-c5c4-8r6x-56w3", "name": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-c5c4-8r6x-56w3", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Prior to 7.15.2, an authorization bypass exists in OAuth2 Proxy as part of the email_domain enforcement option. An attacker may be able to authenticate with an email claim such as attacker@evil.com@company.com and satisfy an allowed domain check for company.com, even though the claim is not a valid email address. The issue ONLY affects deployments that rely on email_domain restrictions and accept email claim values from identity providers or claim mappings that do not strictly enforce normal email syntax. This vulnerability is fixed in 7.15.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:32:34.537Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40574", "state": "PUBLISHED", "dateUpdated": "2026-04-21T20:37:28.072Z", "dateReserved": "2026-04-14T13:24:29.474Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T16:32:34.537Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:*:*:*:*:*:*:*:*", "matchCriteriaId": "8ECD42F0-BA8D-4BA5-A347-1CAD636DCF70", "versionEndExcluding": "7.15.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Prior to 7.15.2, an authorization bypass exists in OAuth2 Proxy as part of the email_domain enforcement option. An attacker may be able to authenticate with an email claim such as attacker@evil.com@company.com and satisfy an allowed domain check for company.com, even though the claim is not a valid email address. The issue ONLY affects deployments that rely on email_domain restrictions and accept email claim values from identity providers or claim mappings that do not strictly enforce normal email syntax. This vulnerability is fixed in 7.15.2."}], "id": "CVE-2026-40574", "lastModified": "2026-04-27T19:49:09.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T17:16:55.730", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-c5c4-8r6x-56w3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "github.com/oauth2-proxy/oauth2-proxy: OAuth2 Proxy: Authorization Bypass via malicious email claim", "id": "2460160", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460160"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-551", "details": ["A flaw was found in OAuth2 Proxy, a reverse proxy providing authentication using OAuth2 providers. A remote attacker can exploit an authorization bypass vulnerability by crafting a malicious email claim. This allows the attacker to bypass `email_domain` restrictions, which are used to limit access to specific email domains, and gain unauthorized access. This issue specifically impacts deployments that rely on `email_domain` restrictions and accept email claims without strict email syntax enforcement."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, configure identity providers or claim mappings to strictly enforce normal email syntax for all email claim values. This prevents the acceptance of malformed email claims that could bypass `email_domain` restrictions. Red Hat recommends reviewing OAuth2 Proxy deployment configurations and associated identity providers to ensure robust email validation is in place."}, "name": "CVE-2026-40574", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:9", "fix_state": "Fix deferred", "package_name": "rhceph/oauth2-proxy-rhel9", "product_name": "Red Hat Ceph Storage 9"}], "public_date": "2026-04-21T16:32:34Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40574\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40574\nhttps://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-c5c4-8r6x-56w3"], "statement": "A Moderate impact authorization bypass flaw exists in OAuth2 Proxy affecting deployments configured with `email_domain` restrictions. This vulnerability allows a remote attacker to bypass these restrictions by crafting a malicious email claim, such as `attacker@evil.com@company.com`, if the identity provider or claim mapping does not strictly enforce standard email syntax. Red Hat deployments are only affected if they rely on `email_domain` restrictions and accept email claims without strict validation.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.15.2)"}}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "oauth2-proxy", "source": "cna", "vendor": "oauth2-proxy"}, "product": "oauth2_proxy", "vendor": "oauth2_proxy_project"}], "analysis": {"en": {"generated_at": "2026-04-28T21:29:40.609139+00:00", "value": {"mitigation_remediation": ["Apply the vendor supplied patch by upgrading OAuth2 Proxy to version 7.15.2 or later.", "If an upgrade is not immediately possible, disable the email_domain enforcement option or enforce strict email syntax validation on all identity provider claim mappings to reject malformed claims.", "Continuously monitor authentication logs for anomalous email claims containing multiple @ characters and review access patterns for indicators of compromise."], "summary": {"action": "Immediate Patch", "impact": "Authorization Bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts deployments of OAuth2 Proxy versions earlier than 7.15.2 that utilize the email_domain restriction feature and accept email claim values from identity providers or mapping rules that do not enforce strict email syntax. All affected releases are identified by the vendor product oauth2-proxy:oauth2-proxy and must be upgraded to 7.15.2 or later.", "description_and_impact": "A flaw in OAuth2 Proxy\u2019s email domain enforcement allows an attacker to craft an email claim containing multiple @ characters, such as attacker@evil.com@company.com, that satisfies the allowed domain check for company.com while the claim is not a valid email address. The weakness is rooted in improper validation of email format and permits unauthorized access to resources protected by OAuth2 Proxy, potentially compromising confidentiality and integrity of the protected services. The identified weakness falls under CWE-863 and CWE-551.", "risk_and_exploitability": "The CVSS score of 6.8 indicates moderate severity, the EPSS score is < 1%, indicating a very low exploitation probability, but the absence of a disclosed exploit mitigates immediate risk. The vulnerability was not included in CISA\u2019s KEV catalog. The likely attack path involves an adversary manipulating the email claim in an OAuth token to pass the domain check, granting unauthorized authorization over resources that rely solely on the email_domain filter for access control."}}}}, "created": "2026-04-21T22:45:16.059048+00:00", "updated": "2026-04-28T21:30:26.135282+00:00", "vendors": ["oauth2_proxy_project", "oauth2_proxy_project$PRODUCT$oauth2_proxy"]}