Listen to this Post
The vulnerability stems from improper validation of email claims when the `email_domain` enforcement feature is active. OAuth2 Proxy, when configured to restrict access to users from a specific domain (e.g., company.com), checks the `email` claim provided by the identity provider (IdP) against that domain. However, the validation logic does not enforce standard email syntax. As a result, an attacker can supply a malformed email claim such as [email protected]@company.com. The validation logic, which may parse the domain from the last ‘@’ symbol, would extract `company.com` and consider it a match for the allowed domain. This bypasses the intended restriction, granting the attacker access even though their actual email address does not belong to the allowed domain. The issue is only exploitable in self-hosted or custom OIDC environments where the identity provider does not strictly validate email formats. Standard hosted providers like Google or GitHub enforce valid email syntax and are unaffected. The vulnerability affects OAuth2 Proxy versions prior to 7.15.2. The patch introduces stricter email validation to ensure the claim conforms to a valid email address format before performing the domain check. Upgrading to v7.15.2 or later is the primary fix. A workaround is to ensure the configured identity provider cannot emit malformed or attacker-controlled email claim values.
Platform: OAuth2 Proxy Version: before 7.15.2 Vulnerability : Email Domain Bypass Severity: Moderate date: 2026-04-14 Prediction: 2026-04-14
What Undercode Say:
The following analytics and recommendations are provided by Undercode.
Bash Commands & Codes:
Check current OAuth2 Proxy version
./oauth2-proxy --version
Verify email claim parsing (simulated with jq)
echo '{"email": "[email protected]@company.com"}' | jq '.email | split("@") | last'
Exploit simulation (crafting token with malformed email)
This is for educational purposes only.
TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6ImF0dGFja2VyQGV2aWwuY29tQGNvbXBhbnkuY29tIn0.xxx"
curl -H "Authorization: Bearer $TOKEN" https://protected-app.example.com
Exploit:
An attacker obtains a valid OAuth2 token from a configured identity provider, but with a manipulated email claim (e.g., [email protected]@company.com). When this token is presented to OAuth2 Proxy, the email domain check is bypassed, granting the attacker unauthorized access to the protected application.
Protection from this CVE:
- Immediate: Upgrade to OAuth2 Proxy version 7.15.2 or later.
- Workaround: Ensure your identity provider (IdP) strictly validates email syntax and cannot emit malformed claims. For custom OIDC providers, implement claim mapping that rejects invalid email formats.
- Configuration: If upgrade is not possible, consider disabling the `email_domain` restriction and using alternative access control mechanisms (e.g., groups).
Impact:
Successful exploitation allows an attacker to bypass domain-based authentication restrictions, potentially gaining unauthorized access to applications and resources protected by OAuth2 Proxy. This could lead to data breaches, privilege escalation, and further compromise of the backend system.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
