Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1115

NIXPKGS-2026-1115
published on
Permalink CVE-2026-34454
3.5 LOW
  • CVSS version: 3.1
  • Attack vector (AV): PHYSICAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 18 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 21 hours ago
  • @LeSuisse ignored reference https://g… 18 hours ago
  • @LeSuisse ignored maintainer @Swarsel 18 hours ago maintainer.ignore
  • @LeSuisse accepted 18 hours ago
  • @LeSuisse published on GitHub 18 hours ago
OAuth2 Proxy: Session cookie not cleared when rendering sign-in page

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be shown the sign-in page while the existing session cookie remains valid, meaning the browser session is not actually logged out. On shared workstations or devices, a subsequent user could continue to use the previous user's authenticated session. Deployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected. This issue is fixed in 7.15.2

Affected products

oauth2-proxy
  • ==>= 7.11.0, < 7.15.2

Matching in nixpkgs

pkgs.oauth2-proxy

Reverse proxy that provides authentication with Google, Github, or other providers

Package maintainers

Ignored maintainers (1)