CVE-2026-40574

Name of the Vulnerable Software and Affected Versions OAuth2 Proxy versions prior to 7.15.2

Description An authorization bypass exists within the email domain enforcement option. An attacker can authenticate using a malformed email claim, such as attacker@evil.com@company.com, to satisfy an allowed domain check for company.com. This issue specifically affects deployments relying on email domain restrictions that accept email claim values from identity providers or claim mappings that do not strictly enforce standard email syntax. The risk is primarily present in self-hosted or custom OIDC environments and federated setups where unexpected claim values can reach the proxy.

Recommendations Update to version 7.15.2 or later. Ensure the configured identity provider is unable to emit malformed or attacker-controlled email claim values.