Vulnerability Description
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be shown the sign-in page while the existing session cookie remains valid, meaning the browser session is not actually logged out. On shared workstations or devices, a subsequent user could continue to use the previous user's authenticated session. Deployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected. This issue is fixed in 7.15.2
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Oauth2 Proxy Project | Oauth2 Proxy | >= 7.11.0, < 7.15.2 |
Related Weaknesses (CWE)
References
- https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2Vendor Advisory
- https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-f24x-5g9q-Release Notes
FAQ
What is CVE-2026-34454?
CVE-2026-34454 is a vulnerability with a CVSS score of 3.5 (LOW). OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in...
How severe is CVE-2026-34454?
CVE-2026-34454 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-34454?
Check the references section above for vendor advisories and patch information. Affected products include: Oauth2 Proxy Project Oauth2 Proxy.