CVE-2026-34454

LOW EPSS 8.0%

Published Apr 14, 20262mo ago · Modified Jun 17, 20261w ago

3.5 CVSS 3.1

Low

Published Apr 14, 2026 2mo ago

Last Modified Jun 17, 2026 1w ago

Description

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be shown the sign-in page while the existing session cookie remains valid, meaning the browser session is not actually logged out. On shared workstations or devices, a subsequent user could continue to use the previous user's authenticated session. Deployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected. This issue is fixed in 7.15.2

CVSS Details

Base Score

3.5

Exploitability

0.9

Impact

2.5

Vector string

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector Physical

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality Low

Integrity Low

Availability None

Threat Intelligence

EPSS Exploit Probability

8.0% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 2

CWE-384

CWE-613

Affected Products 1

Vendor	Product	Version	Range
oauth2_proxy_project	oauth2_proxy	*	≥7.11.0 – <7.15.2

References 2

github.com https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2

Vendor Advisory
github.com https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-f24x-5g9q-753f

Release Notes

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.