CVE-2026-34454
Published:April 14, 2026
Updated:April 23, 2026
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be shown the sign-in page while the existing session cookie remains valid, meaning the browser session is not actually logged out. On shared workstations or devices, a subsequent user could continue to use the previous user's authenticated session. Deployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected. This issue is fixed in 7.15.2
Affected Packages
https://github.com/oauth2-proxy/oauth2-proxy.git (GITHUB):
Affected version(s) >=v0.1 <v7.15.2Fix Suggestion:
Update to version v7.15.2github.com/oauth2-proxy/oauth2-proxy/v7 (GO):
Affected version(s) >=v7.11.0 <v7.15.2Fix Suggestion:
Update to version v7.15.2Related Resources (5)
Do you need more information?
Contact UsCVSS v4
Base Score:
2.4
Attack Vector
PHYSICAL
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
3.5
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
EPSS
Base Score:
0.01
