{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34454", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T18:18:14.895Z", "datePublished": "2026-04-14T22:10:37.901Z", "dateUpdated": "2026-04-15T13:30:10.300Z"}, "containers": {"cna": {"title": "OAuth2 Proxy: Session cookie not cleared when rendering sign-in page", "problemTypes": [{"descriptions": [{"cweId": "CWE-613", "lang": "en", "description": "CWE-613: Insufficient Session Expiration", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-384", "lang": "en", "description": "CWE-384: Session Fixation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-f24x-5g9q-753f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-f24x-5g9q-753f"}, {"name": "https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2"}], "affected": [{"vendor": "oauth2-proxy", "product": "oauth2-proxy", "versions": [{"version": ">= 7.11.0, < 7.15.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T22:14:00.972Z"}, "descriptions": [{"lang": "en", "value": "OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be shown the sign-in page while the existing session cookie remains valid, meaning the browser session is not actually logged out. On shared workstations or devices, a subsequent user could continue to use the previous user's authenticated session. Deployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected. This issue is fixed in 7.15.2"}], "source": {"advisory": "GHSA-f24x-5g9q-753f", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T13:30:00.521921Z", "id": "CVE-2026-34454", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:30:10.300Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34454", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T13:30:00.521921Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:30:06.585Z"}}], "cna": {"title": "OAuth2 Proxy: Session cookie not cleared when rendering sign-in page", "source": {"advisory": "GHSA-f24x-5g9q-753f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "PHYSICAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "oauth2-proxy", "product": "oauth2-proxy", "versions": [{"status": "affected", "version": ">= 7.11.0, < 7.15.2"}]}], "references": [{"url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-f24x-5g9q-753f", "name": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-f24x-5g9q-753f", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2", "name": "https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be shown the sign-in page while the existing session cookie remains valid, meaning the browser session is not actually logged out. On shared workstations or devices, a subsequent user could continue to use the previous user's authenticated session. Deployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected. This issue is fixed in 7.15.2"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-613", "description": "CWE-613: Insufficient Session Expiration"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-384", "description": "CWE-384: Session Fixation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T22:14:00.972Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34454", "state": "PUBLISHED", "dateUpdated": "2026-04-15T13:30:10.300Z", "dateReserved": "2026-03-27T18:18:14.895Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-14T22:10:37.901Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:*:*:*:*:*:*:*:*", "matchCriteriaId": "72445393-2EA7-4F64-BFA4-B6BAD74B21D8", "versionEndExcluding": "7.15.2", "versionStartIncluding": "7.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be shown the sign-in page while the existing session cookie remains valid, meaning the browser session is not actually logged out. On shared workstations or devices, a subsequent user could continue to use the previous user's authenticated session. Deployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected. This issue is fixed in 7.15.2"}], "id": "CVE-2026-34454", "lastModified": "2026-04-23T14:15:40.250", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-14T23:16:28.167", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-f24x-5g9q-753f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-384"}, {"lang": "en", "value": "CWE-613"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.11.0,7.15.2)"}}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "oauth2-proxy", "source": "cna", "vendor": "oauth2-proxy"}, "product": "oauth2_proxy", "vendor": "oauth2_proxy_project"}], "analysis": {"en": {"generated_at": "2026-04-14T23:21:45.170220+00:00", "value": {"mitigation_remediation": ["Upgrade OAuth2 Proxy to version 7.15.2 or later, which clears the session cookie during sign\u2011in page rendering.", "Configure the logout flow to use a dedicated logout endpoint, ensuring the session cookie is explicitly invalidated.", "On shared workstations, enforce separate browser profiles or a separate sign\u2011out procedure to eliminate session persistence."], "summary": {"action": "Upgrade", "impact": "Stale session fixation during logout that can expose authenticated sessions on shared workstations"}, "threat_synthesis": {"affected_systems": "The issue affects deployments of OAuth2 Proxy using the oauth2-proxy product from 7.11.0 up to and including 7.15.1. The regression is fixed in version 7.15.2 and later.", "description_and_impact": "A regression introduced in OAuth2 Proxy 7.11.0 prevents the session cookie from being cleared when the sign\u2011in page is displayed as part of the logout flow. This means that after a user logs out, the browser may still retain the original session cookie and can continue to access protected resources. The consequence is that a subsequent user on the same workstation could gain unauthorized access to the previous user's session, effectively bypassing the logout action.", "risk_and_exploitability": "The CVSS score of 3.5 indicates low severity, and there is no EPSS or KEV entry, meaning the vulnerability is not widely exploited at present. The likely attack vector is a local user on a shared workstation who logs out and then intends to log in again; because the cookie persists, the same authenticated session remains active. Remote exploitation is not required, and the flaw benefits only environments that rely on the sign\u2011in page as part of the logout process."}}}}, "created": "2026-04-15T13:48:23.617009+00:00", "updated": "2026-04-15T14:31:57.025406+00:00", "vendors": ["oauth2_proxy_project", "oauth2_proxy_project$PRODUCT$oauth2_proxy"]}