GSSA-2026-04-7H74R22026-04-252.0 Low
OAuth state cookie missing `Secure` and `Path` attributes
The OAuth `state` cookie used for CSRF protection on the login flow lacked `Secure`, `Path`, and `Max-Age`, weakening the CSRF guarantee on plaintext-HTTP hops.
The OAuth state cookie used for CSRF protection on the login flow lacked Secure, Path, and Max-Age attributes, weakening the CSRF guarantee on plaintext-HTTP hops and persisting longer than necessary.