A critical vulnerability in a widely used OpenID Connect (OIDC) middleware has been discovered, enabling 'Session Fixation' via improper state validation. Attackers can pre-generate a malicious login session and trick a user into completing the flow, effectively taking over the resulting authenticated session. This highlight's a regression in OIDC implementations where the state or PKCE parameters are not strictly enforced or tied to the underlying browser session. Web developers must ensure that the state parameter is cryptographically random and verified on the callback endpoint to prevent session hijacking.