CVE-2026-34454
Session Fixation in OAuth2 Proxy 7.11.0β7.15.1 Causes Logout Bypass
Publication date: 2026-04-14
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oauth2_proxy_project | oauth2_proxy | From 7.11.0 (inc) to 7.15.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
| CWE-384 | Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a regression introduced in OAuth2 Proxy version 7.11.0 that prevents the application from clearing the session cookie when rendering the sign-in page.
As a result, in deployments that rely on the sign-in page as part of their logout process, the user may see the sign-in page but the session cookie remains valid, meaning the browser session is not truly logged out.
On shared devices, this can allow a subsequent user to continue using the previous user's authenticated session.
Deployments that use a dedicated logout or sign-out endpoint to terminate sessions are not affected by this issue.
The issue is fixed in version 7.15.2.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized access to an authenticated session on shared workstations or devices.
If the logout flow relies on the sign-in page rather than a dedicated logout endpoint, the session cookie remains valid even after the user appears to have logged out.
This means a subsequent user of the same device could continue to use the previous user's session, potentially accessing sensitive information or performing actions as that user.
This could lead to confidentiality and integrity issues.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade OAuth2 Proxy to version 7.15.2 or later, where the issue is fixed.
Alternatively, if your deployment uses a dedicated logout or sign-out endpoint to terminate sessions, you are not affected by this issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a user session cookie to remain valid even after the sign-in page is rendered, potentially enabling subsequent users on shared devices to access the previous user's authenticated session.
Such behavior could lead to unauthorized access to user data, which may conflict with compliance requirements in standards like GDPR and HIPAA that mandate proper session termination and protection of personal or sensitive information.
However, the CVE description does not explicitly mention compliance impacts or regulatory considerations.