GHSA-f24x-5g9q-753f · Severity: low · Ecosystem: go — OAuth2 Proxy's session cookies are not cleared when rendering sign-in page
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be shown the sign-in page while the existing session cookie remains valid, meaning the browser session is not actually logged out. On shared workstations or devices, a subsequent user could continue to use the previous user's authenticated session. Deployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected. This issue is fixed in 7.15.2
Conclusion & alert: CVE-2026-34454 is rated Low Risk (17/100): CVSS Low severity, with low exploitation likelihood (EPSS 0.18%). Mandatory action: Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.01% | 0.18% | +0.18% |
| 2 | 2026-04-15 | — | 0.01% | — |
Full EPSS history (2 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 3.5 | 3.1 | LOW |
|
0.9 | 2.5 | [email protected] |
GHSA-f24x-5g9q-753f · Severity: low · Ecosystem: go — OAuth2 Proxy's session cookies are not cleared when rendering sign-in page
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| oauth2_proxy_project | oauth2_proxy | >= 7.11.0, < 7.15.2 | cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2 | Vendor Advisory |
| https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-f24x-5g9q-753f | Release Notes |