CVE-2026-34454 Overview
OAuth2 Proxy is a widely-used reverse proxy that provides authentication using OAuth2 providers. A regression introduced in version 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. This session fixation vulnerability (CWE-384) means that in deployments relying on the sign-in page as part of their logout flow, users may be shown the sign-in page while the existing session cookie remains valid, leaving the browser session still authenticated.
Critical Impact
On shared workstations or devices, a subsequent user could continue to use the previous user's authenticated session, potentially gaining unauthorized access to protected resources and sensitive data.
Affected Products
- OAuth2 Proxy versions 7.11.0 through 7.15.1
- Deployments using sign-in page as part of logout flow
- Shared workstation environments are at highest risk
Discovery Timeline
- 2026-04-14 - CVE CVE-2026-34454 published to NVD
- 2026-04-14 - Last updated in NVD database
Technical Details for CVE-2026-34454
Vulnerability Analysis
This vulnerability represents a session fixation weakness where the OAuth2 Proxy fails to properly invalidate session cookies during the logout process. The regression affects the sign-in page rendering logic, which should clear existing session cookies but instead leaves them intact and valid. This creates a window where authenticated sessions persist beyond their intended lifecycle, particularly problematic in shared computing environments where multiple users access the same browser instance.
The physical access requirement reflects the attack scenario where an attacker must have access to the same workstation or device where a legitimate user has initiated a logout. The vulnerability does not require authentication from the attacker's perspective, as they simply inherit the previous user's still-valid session.
Root Cause
The root cause is a regression introduced in OAuth2 Proxy version 7.11.0 that inadvertently removed or bypassed the session cookie clearing logic when the sign-in page is rendered. When a user initiates logout through the sign-in page flow, the application renders the sign-in interface but fails to execute the session termination routine, leaving the _oauth2_proxy session cookie intact and usable.
Attack Vector
The attack requires physical access to a shared workstation or device. An attacker exploiting this vulnerability would follow this sequence:
- Wait for a legitimate user to complete their work and attempt to log out via the sign-in page
- The victim sees the sign-in page and assumes they are logged out
- The attacker gains physical access to the same browser/workstation
- The attacker navigates to the protected application
- The still-valid session cookie authenticates the attacker as the previous user
The vulnerability is particularly concerning in kiosk environments, shared office workstations, library computers, or any scenario where multiple users access the same browser session. Deployments using dedicated /sign_out or /oauth2/sign_out endpoints that explicitly terminate sessions are not affected by this issue.
Detection Methods for CVE-2026-34454
Indicators of Compromise
- Session cookies persisting in browser storage after sign-in page is displayed
- Users reporting access to other users' authenticated sessions
- Audit logs showing same session ID used by different users or from different locations
- Multiple successful authentications without corresponding session creation events
Detection Strategies
- Monitor OAuth2 Proxy logs for session reuse patterns across different IP addresses or user agents
- Implement browser fingerprinting to detect session usage from different browser instances
- Review access patterns on shared workstations for anomalous session continuity
- Check OAuth2 Proxy version and configuration to identify vulnerable deployments
Monitoring Recommendations
- Enable verbose logging for OAuth2 Proxy session management operations
- Configure alerts for session cookies that remain active beyond expected timeframes
- Implement user behavior analytics to detect session hijacking scenarios
- Monitor for the specific regression by testing logout functionality in staging environments
How to Mitigate CVE-2026-34454
Immediate Actions Required
- Upgrade OAuth2 Proxy to version 7.15.2 or later immediately
- If immediate upgrade is not possible, configure deployments to use dedicated logout endpoints instead of relying on the sign-in page
- Educate users on shared workstations to manually clear browser cookies after logout
- Consider implementing browser-based session timeout mechanisms as an additional layer
Patch Information
The OAuth2 Proxy team has released version 7.15.2 which addresses this session fixation vulnerability. The fix restores proper session cookie clearing behavior when the sign-in page is rendered. Administrators should upgrade to this version or later to remediate the vulnerability. For detailed release information, see the GitHub Release v7.15.2 and the GitHub Security Advisory GHSA-f24x-5g9q-753f.
Workarounds
- Configure OAuth2 Proxy to use the dedicated /oauth2/sign_out endpoint for logout operations instead of rendering the sign-in page
- Implement session timeout policies with shorter expiration windows to limit the exposure window
- Deploy browser-level controls on shared workstations to clear cookies on browser close
- Use separate browser profiles or private/incognito browsing for shared workstation scenarios
# Configure dedicated logout endpoint in OAuth2 Proxy
# Add to oauth2-proxy configuration file or command line
--cookie-expire=1h0m0s
--cookie-refresh=0h15m0s
# Ensure logout redirects to dedicated sign_out endpoint
# Update application logout links to use:
# /oauth2/sign_out?rd=https://your-provider.com/logout
# For Kubernetes deployments, update the ConfigMap:
# data:
# oauth2-proxy.cfg: |
# cookie_expire = "1h"
# cookie_refresh = "15m"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
