Severity by source
AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionGitHub Advisory
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be shown the sign-in page while the existing session cookie remains valid, meaning the browser session is not actually logged out. On shared workstations or devices, a subsequent user could continue to use the previous user's authenticated session. Deployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected. This issue is fixed in 7.15.2
AnalysisAI
OAuth2 Proxy versions 7.11.0 through 7.15.1 fail to clear the session cookie when rendering the sign-in page due to a regression, allowing authenticated users to remain logged in even after attempting to log out via the sign-in page. On shared workstations, a subsequent user could hijack the previous user's authenticated session without additional credentials. This affects only deployments using the sign-in page as part of logout flow; organizations with dedicated logout endpoints are unaffected. The vulnerability carries a low CVSS score of 3.5 (physical attack vector required) but poses meaningful risk in shared-access environments.
Technical ContextAI
OAuth2 Proxy is a reverse proxy that intercepts HTTP requests and enforces authentication via OAuth2 providers before allowing access to backend services. The session management mechanism relies on HTTP cookies to maintain authenticated state. CWE-613 (Insufficient Session Expiration) indicates the root cause: the proxy fails to invalidate session cookies at logout time. The regression was introduced in version 7.11.0 and affects the sign-in page rendering logic, which under normal circumstances should clear session state to force re-authentication. Organizations relying on a dedicated /logout or /sign-out endpoint rather than the sign-in page for session termination are not affected because those endpoints properly clear cookies.
RemediationAI
Vendor-released patch: OAuth2 Proxy 7.15.2 and later. Upgrade immediately via https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2. As a temporary mitigation, if patching is delayed, organizations should migrate their logout flow from the sign-in page endpoint to a dedicated logout/sign-out endpoint that explicitly terminates sessions. Verify after upgrade that session cookies are properly cleared when accessing the sign-in page by inspecting browser developer tools. For deployments already using dedicated logout endpoints, no action is required beyond regular patching schedules.
More in Oauth2 Proxy
View allOAuth2 Proxy is an open-source reverse proxy and static file server that provides authentication using Providers (Google
OAuth2 Proxy before 5.0 has an open redirect vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remo
CSRF in Bitly oauth2_proxy 2.1 during authentication flow. Rated high severity (CVSS 8.8), this vulnerability is remotel
The Bitly oauth2_proxy in version 2.1 and earlier was affected by an open redirect vulnerability during the start and te
In OAuth2 Proxy before 5.1.1, there is an open redirect vulnerability. Rated medium severity (CVSS 6.1), this vulnerabil
OAuth2-Proxy is an open source reverse proxy that provides authentication with Google, Github or other providers. Rated
In OAuth2 Proxy from version 5.1.1 and less than version 6.0.0, users can provide a redirect address for the proxy to se
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22758
GHSA-f24x-5g9q-753f