CVE-2026-30224
published 2026-03-06CVE-2026-30224: OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user…
PriorityP336medium5.4CVSS 3.1
AVNACLPRLUINSUCLILAN
EPSS
0.30%
21.8th percentile
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default ≈ 1 year). An attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass. This is a session management flaw that violates expected logout semantics. This issue has been patched in version 3000.11.1.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | olivetin_olivetin | >= 0 < 0.0.0-20260304233115-d6a0abc3755d15 | 0.0.0-20260304233115-d6a0abc3755d15 |
| olivetin | olivetin | < 3000.11.1 | 3000.11.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
OliveTin Session Fixation: Logout Fails to Invalidate Server-Side Session in github.com/OliveTin/OliveTin
osv·2026-03-10
CVE-2026-30224 OliveTin Session Fixation: Logout Fails to Invalidate Server-Side Session in github.com/OliveTin/OliveTin
OliveTin Session Fixation: Logout Fails to Invalidate Server-Side Session in github.com/OliveTin/OliveTin
OliveTin Session Fixation: Logout Fails to Invalidate Server-Side Session in github.com/OliveTin/OliveTin.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/OliveTin/OliveTin before v0.0.0-20260304233115-d6a0abc3755d15.
OSV
OliveTin Session Fixation: Logout Fails to Invalidate Server-Side Session
osv·2026-03-05
CVE-2026-30224 [MEDIUM] OliveTin Session Fixation: Logout Fails to Invalidate Server-Side Session
OliveTin Session Fixation: Logout Fails to Invalidate Server-Side Session
### Summary
OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default ≈ 1 year).
An attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass.
This is a session management flaw that violates expected logout semantics.
### Details
During logout:
```
// Logout only clears browser cookie
response.Header().Set("Set-Cookie", localCookie.String())
```
However, the server still accepts the session:
```
session := sessionStorage.Providers[provider].Sessions[sid]
...
return session
```
The SID is not d
GHSA
OliveTin Session Fixation: Logout Fails to Invalidate Server-Side Session
ghsa·2026-03-05
CVE-2026-30224 [MEDIUM] CWE-384 OliveTin Session Fixation: Logout Fails to Invalidate Server-Side Session
OliveTin Session Fixation: Logout Fails to Invalidate Server-Side Session
### Summary
OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default ≈ 1 year).
An attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass.
This is a session management flaw that violates expected logout semantics.
### Details
During logout:
```
// Logout only clears browser cookie
response.Header().Set("Set-Cookie", localCookie.String())
```
However, the server still accepts the session:
```
session := sessionStorage.Providers[provider].Sessions[sid]
...
return session
```
The SID is not d
No detection rules found.
No public exploits indexed.
2026-03-06
Published