{"id":"CVE-2026-34454","summary":"OAuth2 Proxy: Session cookie not cleared when rendering sign-in page","details":"OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be shown the sign-in page while the existing session cookie remains valid, meaning the browser session is not actually logged out. On shared workstations or devices, a subsequent user could continue to use the previous user's authenticated session. Deployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected. This issue is fixed in 7.15.2","aliases":["BIT-oauth2-proxy-2026-34454","GHSA-f24x-5g9q-753f","GO-2026-5341"],"modified":"2026-07-08T08:12:51.285526753Z","published":"2026-04-14T22:10:37.901Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34454.json","cwe_ids":["CWE-384","CWE-613"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34454.json"},{"type":"ADVISORY","url":"https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-f24x-5g9q-753f"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34454"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/oauth2-proxy/oauth2-proxy","events":[{"introduced":"c0a928ededa40391baeedf8c5f3e104c047bfb6e"},{"fixed":"5961fd99b42c3625b8ef08690d38be5cb37f44b0"}],"database_specific":{"source":["AFFECTED_FIELD","CPE_RANGE","REFERENCES"],"extracted_events":[{"introduced":"7.11.0"},{"fixed":"7.15.2"}],"cpe":"cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:*:*:*:*:*:*:*:*"}}],"versions":["v7.15.1","v7.15.0","v7.14.3","v7.14.2","v7.14.1","v7.14.0","v7.13.0","v7.12.0","v7.11.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34454.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}