diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8ac39d61..dc1f773a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -34,6 +34,7 @@
 - [#1244](https://github.com/oauth2-proxy/oauth2-proxy/pull/1244) Update Alpine image version to 3.14 (@ahovgaard)
 - [#1317](https://github.com/oauth2-proxy/oauth2-proxy/pull/1317) Fix incorrect `</form>` tag on the sing_in page when *not* using a custom template (@jord1e)
 - [#1330](https://github.com/oauth2-proxy/oauth2-proxy/pull/1330) Allow specifying URL as input for custom sign in logo (@MaikuMori)
+- [#1357](https://github.com/oauth2-proxy/oauth2-proxy/pull/1357) Fix unsafe access to session variable (@harzallah)
 
 # V7.1.3
 
diff --git a/pkg/middleware/basic_session.go b/pkg/middleware/basic_session.go
index a6e92faa..71b822c0 100644
--- a/pkg/middleware/basic_session.go
+++ b/pkg/middleware/basic_session.go
@@ -31,7 +31,9 @@ func loadBasicAuthSession(validator basic.Validator, sessionGroups []string, pre
 	if preferEmail {
 		getSession = func(validator basic.Validator, sessionGroups []string, req *http.Request) (*sessionsapi.SessionState, error) {
 			session, err := getBasicSession(validator, sessionGroups, req)
-			session.Email = session.User
+			if session != nil {
+				session.Email = session.User
+			}
 			return session, err
 		}
 	}