Description
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be shown the sign-in page while the existing session cookie remains valid, meaning the browser session is not actually logged out. On shared workstations or devices, a subsequent user could continue to use the previous user's authenticated session. Deployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected. This issue is fixed in 7.15.2
Published: 2026-04-14
Score: 3.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: Stale session fixation during logout that can expose authenticated sessions on shared workstations
Action: Upgrade
AI Analysis

Impact

A regression introduced in OAuth2 Proxy 7.11.0 prevents the session cookie from being cleared when the sign‑in page is displayed as part of the logout flow. This means that after a user logs out, the browser may still retain the original session cookie and can continue to access protected resources. The consequence is that a subsequent user on the same workstation could gain unauthorized access to the previous user's session, effectively bypassing the logout action.

Affected Systems

The issue affects deployments of OAuth2 Proxy using the oauth2-proxy product from 7.11.0 up to and including 7.15.1. The regression is fixed in version 7.15.2 and later.

Risk and Exploitability

The CVSS score of 3.5 indicates low severity, and there is no EPSS or KEV entry, meaning the vulnerability is not widely exploited at present. The likely attack vector is a local user on a shared workstation who logs out and then intends to log in again; because the cookie persists, the same authenticated session remains active. Remote exploitation is not required, and the flaw benefits only environments that rely on the sign‑in page as part of the logout process.

Generated by OpenCVE AI on April 14, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OAuth2 Proxy to version 7.15.2 or later, which clears the session cookie during sign‑in page rendering.
  • Configure the logout flow to use a dedicated logout endpoint, ensuring the session cookie is explicitly invalidated.
  • On shared workstations, enforce separate browser profiles or a separate sign‑out procedure to eliminate session persistence.

Generated by OpenCVE AI on April 14, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f24x-5g9q-753f OAuth2 Proxy's session cookies are not cleared when rendering sign-in page
History

Thu, 23 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:*:*:*:*:*:*:*:*

Wed, 15 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Oauth2 Proxy Project
Oauth2 Proxy Project oauth2 Proxy
Vendors & Products Oauth2 Proxy Project
Oauth2 Proxy Project oauth2 Proxy

Tue, 14 Apr 2026 22:30:00 +0000

Type Values Removed Values Added
Description OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be shown the sign-in page while the existing session cookie remains valid, meaning the browser session is not actually logged out. On shared workstations or devices, a subsequent user could continue to use the previous user's authenticated session. Deployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected. This issue is fixed in 7.15.2
Title OAuth2 Proxy: Session cookie not cleared when rendering sign-in page
Weaknesses CWE-384
CWE-613
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Oauth2 Proxy Project Oauth2 Proxy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T13:30:10.300Z

Reserved: 2026-03-27T18:18:14.895Z

Link: CVE-2026-34454

cve-icon Vulnrichment

Updated: 2026-04-15T13:30:06.585Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T23:16:28.167

Modified: 2026-04-23T14:15:40.250

Link: CVE-2026-34454

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:31:57Z

Weaknesses