CVE-2026-34454 - OAuth2 Proxy: Session cookie not cleared when rendering sign-in page
CVE ID :CVE-2026-34454
Published : April 14, 2026, 11:16 p.m. | 2 hours, 24 minutes ago
Description :OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be shown the sign-in page while the existing session cookie remains valid, meaning the browser session is not actually logged out. On shared workstations or devices, a subsequent user could continue to use the previous user's authenticated session. Deployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected. This issue is fixed in 7.15.2
Severity: 3.5 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Published : April 14, 2026, 11:16 p.m. | 2 hours, 24 minutes ago
Description :OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be shown the sign-in page while the existing session cookie remains valid, meaning the browser session is not actually logged out. On shared workstations or devices, a subsequent user could continue to use the previous user's authenticated session. Deployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected. This issue is fixed in 7.15.2
Severity: 3.5 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...