CVE-2026-34454

Name of the Vulnerable Software and Affected Versions OAuth2 Proxy versions 7.11.0 through 7.15.1

Description A regression prevents the reverse proxy from clearing the session cookie when rendering the sign-in page. In deployments relying on the sign-in page for the logout flow, the browser session remains valid even when the sign-in page is displayed. This could allow a subsequent user on a shared workstation or device to access the previous user's authenticated session. Deployments using a dedicated logout/sign-out endpoint to terminate sessions are not affected.

Recommendations Update to version 7.15.2. Use the dedicated logout/sign-out endpoint of OAuth2 Proxy instead of relying on the sign-in page to clear sessions. Ensure the application logout flow explicitly clears the OAuth2 Proxy session cookie before redirecting users to the sign-in page. Clear the session cookie at the reverse proxy or application layer as a temporary mitigation.