CVE-2026-34454 — Session Fixation in Oauth2-proxy Oauth2-proxy V7

CWE-384 — Session Fixation CWE-613 — Insufficient Session Expiration2 documents2 sources

Severity

3.5LOWNVD

EPSS

0.0%

top 99.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Oauth2-proxy Oauth2-proxy V7 Oauth2-proxy

Timeline

PublishedApr 14

Description

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be shown the sign-in page while the existing session cookie remains valid, meaning the browser session is not actually logged out. On shared workstations or devices, a subsequent user could continue to use t…

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 0.9 | Impact: 2.5

Affected Packages2 packages

▶Gogithub.com/oauth2-proxy_oauth2-proxy_v77.11.0 — 7.15.2

▶CVEListV5oauth2-proxy/oauth2-proxy>= 7.11.0, < 7.15.2

🔴Vulnerability Details

GHSA

OAuth2 Proxy's session cookies are not cleared when rendering sign-in page↗2026-04-14

▶