A flaw in OAuth2 Proxy’s email domain enforcement allows an attacker to craft an email claim containing multiple @ characters, such as attacker@evil.com@company.com, that satisfies the allowed domain check for company.com while the claim is not a valid email address. The weakness is rooted in improper validation of email format and permits unauthorized access to resources protected by OAuth2 Proxy, potentially compromising confidentiality and integrity of the protected services. The identified weakness falls under CWE-863, representing an Authorization Bypass via Reverse Map.

The vulnerability impacts deployments of OAuth2 Proxy versions earlier than 7.15.2 that utilize the email_domain restriction feature and accept email claim values from identity providers or mapping rules that do not enforce strict email syntax. All affected releases are identified by the vendor product oauth2-proxy:oauth2-proxy and must be upgraded to 7.15.2 or later.

The CVSS score of 6.8 indicates moderate severity, while no EPSS score is available, thus the exploitation probability is unknown but the absence of a disclosed exploit mitigates immediate risk. The vulnerability was not included in CISA’s KEV catalog. The likely attack path involves an adversary manipulating the email claim in an OAuth token to pass the domain check, granting unauthorized authorization over resources that rely solely on the email_domain filter for access control.