Skip to main content

Oauth2 Proxy CVE-2026-34454

| EUVDEUVD-2026-22758 LOW
Insufficient Session Expiration (CWE-613)
2026-04-14 GitHub_M GHSA-f24x-5g9q-753f
3.5
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.5 LOW
AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Patch released
Apr 15, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 15, 2026 - 01:07 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 22:46 euvd
EUVD-2026-22758
Analysis Generated
Apr 14, 2026 - 22:46 vuln.today
CVE Published
Apr 14, 2026 - 22:10 nvd
LOW 3.5

DescriptionGitHub Advisory

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be shown the sign-in page while the existing session cookie remains valid, meaning the browser session is not actually logged out. On shared workstations or devices, a subsequent user could continue to use the previous user's authenticated session. Deployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected. This issue is fixed in 7.15.2

AnalysisAI

OAuth2 Proxy versions 7.11.0 through 7.15.1 fail to clear the session cookie when rendering the sign-in page due to a regression, allowing authenticated users to remain logged in even after attempting to log out via the sign-in page. On shared workstations, a subsequent user could hijack the previous user's authenticated session without additional credentials. This affects only deployments using the sign-in page as part of logout flow; organizations with dedicated logout endpoints are unaffected. The vulnerability carries a low CVSS score of 3.5 (physical attack vector required) but poses meaningful risk in shared-access environments.

Technical ContextAI

OAuth2 Proxy is a reverse proxy that intercepts HTTP requests and enforces authentication via OAuth2 providers before allowing access to backend services. The session management mechanism relies on HTTP cookies to maintain authenticated state. CWE-613 (Insufficient Session Expiration) indicates the root cause: the proxy fails to invalidate session cookies at logout time. The regression was introduced in version 7.11.0 and affects the sign-in page rendering logic, which under normal circumstances should clear session state to force re-authentication. Organizations relying on a dedicated /logout or /sign-out endpoint rather than the sign-in page for session termination are not affected because those endpoints properly clear cookies.

RemediationAI

Vendor-released patch: OAuth2 Proxy 7.15.2 and later. Upgrade immediately via https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2. As a temporary mitigation, if patching is delayed, organizations should migrate their logout flow from the sign-in page endpoint to a dedicated logout/sign-out endpoint that explicitly terminates sessions. Verify after upgrade that session cookies are properly cleared when accessing the sign-in page by inspecting browser developer tools. For deployments already using dedicated logout endpoints, no action is required beyond regular patching schedules.

Share

CVE-2026-34454 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy