CVE-2026-40574 — Incorrect Authorization in Oauth2-proxy Oauth2-proxy V7

OAuth2 Proxy has an Authorization Bypass in Email Domain Validation via Malformed Multi-@ Email Claims ### Impact An authorization bypass exists in OAuth2 Proxy as part of the `email_domain` enforcement option. An attacker may be able to authenticate with an email claim such as `[email protected]@company.com` and satisfy an allowed domain check for `company.com`, even though the claim is not a valid email address. The issue **ONLY** affects deployments that rely on `email_domain` restrictions…