{"id":"CVE-2026-30224","summary":"OliveTin: Session Fixation - Logout Fails to Invalidate Server-Side Session","details":"OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default ≈ 1 year). An attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass. This is a session management flaw that violates expected logout semantics. This issue has been patched in version 3000.11.1.","aliases":["GHSA-gq2m-77hf-vwgh","GO-2026-4623"],"modified":"2026-04-10T05:41:46.512441Z","published":"2026-03-06T21:01:37.027Z","related":["SUSE-SU-2026:1042-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30224.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-384","CWE-613"]},"references":[{"type":"WEB","url":"https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30224.json"},{"type":"ADVISORY","url":"https://github.com/OliveTin/OliveTin/security/advisories/GHSA-gq2m-77hf-vwgh"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30224"},{"type":"FIX","url":"https://github.com/OliveTin/OliveTin/commit/d6a0abc3755d43107be1939567c52953bcbec3d5"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/OliveTin/OliveTin","events":[{"introduced":"0"},{"fixed":"276e3f62ddb87f9cb87903b19203e35db01a0c95"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3000.11.1"}]}},{"type":"GIT","repo":"https://github.com/olivetin/olivetin","events":[{"introduced":"0"},{"fixed":"d6a0abc3755d43107be1939567c52953bcbec3d5"},{"fixed":"276e3f62ddb87f9cb87903b19203e35db01a0c95"}]}],"versions":["2021-05-19.28","2021-05-24.f44","2021-05-25","2021-05-28","2021-07-16","2021-07-19","2021-11-02.alpha1-task-arguments","2021-11-17","2021-11-17-2","2021-11-19","2022-01-06","2022-04-07","2022-10-19","2022.11.11","2022.11.14","2023.02.16","2023.03.22","2023.03.24","2023.03.24-2","2023.03.24-3","2023.03.24-4","2023.03.25","2023.10.09","2023.10.12","2023.10.24","2023.10.25","2023.12.1","2023.12.17","2023.12.20","2023.12.21","2024.02.01","2024.02.27","2024.02.28","2024.03.01","2024.03.05","2024.03.06","2024.03.08","2024.03.081","2024.03.24","2024.04.021","2024.04.09","2024.04.11","2024.04.14","2024.04.18","2024.04.20","2024.04.26","2024.04.261","2024.04.28","2024.05.13","2024.05.24","2024.05.27","2024.05.31","2024.05.51","2024.06.01","2024.06.02","2024.06.04","2024.07.03","2024.07.06","2024.07.07","2024.07.13","2024.07.15","2024.07.152","2024.07.153","2024.07.16","2024.08.14","2024.08.25","2024.08.31","2024.09.02","2024.09.10","2024.09.11","2024.09.16","2024.10.01","2024.10.02","2024.10.14","2024.10.17","2024.10.18","2024.10.26","2024.10.27","2024.11.02","2024.11.09","2024.11.18","2024.11.24","2024.12.11","2025.2.19","2025.2.21","2025.3.23","2025.3.28","2025.4.14","2025.4.21","2025.4.22","2025.4.8","2025.5.26","2025.6.1","2025.6.22","2025.6.6","2025.7.13","2025.7.19","3000.0.0","3000.0.1","3000.0.2","3000.1.0","3000.1.1","3000.1.2","3000.10.0","3000.10.1","3000.10.2","3000.11.0","3000.2.0","3000.2.1","3000.3.0","3000.3.1","3000.3.2","3000.4.0","3000.5.0","3000.6.0","3000.7.0","3000.8.0","3000.9.0","3000.9.1","3000.9.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30224.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}]}