Vulnerability Details CVE-2026-34454
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be shown the sign-in page while the existing session cookie remains valid, meaning the browser session is not actually logged out. On shared workstations or devices, a subsequent user could continue to use the previous user's authenticated session. Deployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected. This issue is fixed in 7.15.2
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 0.7%
CVSS Severity
CVSS v3 Score 3.5
References
Products affected by CVE-2026-34454
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.11.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.12.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.13.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.14.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.14.1
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.14.2
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.14.3
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.15.0
-
cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:7.15.1