CVE-2026-34454

3.5 LOW
Published: April 14, 2026 Modified: April 23, 2026
View on NVD

Description

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be shown the sign-in page while the existing session cookie remains valid, meaning the browser session is not actually logged out. On shared workstations or devices, a subsequent user could continue to use the previous user's authenticated session. Deployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected. This issue is fixed in 7.15.2

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2
Source: security-advisories@github.com
Vendor Advisory
https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-f24x-5g9q-753f
Source: security-advisories@github.com
Release Notes

2 reference(s) from NVD

Quick Stats

CVSS v3 Score
3.5 / 10.0
EPSS (Exploit Probability)
0.0%
1th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-384 CWE-613

Affected Vendors

oauth2_proxy_project

Related CVEs

CVE-2026-43964 3.7
CVE-2026-42237 N/A
CVE-2026-42236 N/A
CVE-2026-42235 N/A
CVE-2026-42234 N/A