VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 6, 2026· Updated Mar 9, 2026

OliveTin: Session Fixation - Logout Fails to Invalidate Server-Side Session

CVE-2026-30224

Description

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default ≈ 1 year). An attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass. This is a session management flaw that violates expected logout semantics. This issue has been patched in version 3000.11.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OliveTin fails to invalidate server-side sessions on logout, allowing attackers to reuse stolen session cookies for up to a year.

Vulnerability

Overview

OliveTin, a web interface for executing predefined shell commands, does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until its default expiry of approximately one year [1][4]. This session management flaw violates expected logout semantics and enables a post-logout authentication bypass.

Exploitation

An attacker who has previously stolen or captured a session cookie can continue to authenticate after the legitimate user logs out. The server still accepts the old session identifier (SID) because it is not deleted from sessionStorage during logout [2]. The attack requires network access to the OliveTin instance and possession of a valid session cookie, which could be obtained via cross-site scripting, man-in-the-middle, or other means.

Impact

Successful exploitation allows an attacker to maintain authenticated access to the OliveTin web interface even after the victim logs out. This could lead to unauthorized execution of shell commands, depending on the configured actions and user privileges. The vulnerability is rated as moderate severity [4].

Mitigation

The issue has been patched in OliveTin version 3000.11.1. The fix adds a RevokeSessionForProvider function that removes the session from server-side storage upon logout [2]. Users should upgrade to the patched version immediately. No workarounds are documented.

References
  1. NVD - CVE-2026-30224
  2. security: GHSA-gq2m-77hf-vwgh (MODERATE) Session Fixation: Logout Fai… · OliveTin/OliveTin@d6a0abc
  3. Session Fixation: Logout Fails to Invalidate Server-Side Session

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/OliveTin/OliveTinGo
< 0.0.0-20260304233115-d6a0abc3755d150.0.0-20260304233115-d6a0abc3755d15

Affected products

2
  • OliveTin/OliveTinllm-fuzzy
    Range: <=3000.11.0
  • OliveTin/OliveTinv5
    Range: < 3000.11.1

Patches

1
d6a0abc3755d

security: GHSA-gq2m-77hf-vwgh (MODERATE) Session Fixation: Logout Fails to Invalidate Server-Side Session

https://github.com/OliveTin/OliveTinjamesreadMar 4, 2026via ghsa
commit
4 files changed · +44 2
  • service/internal/api/api.go+2 0 modified
    @@ -392,6 +392,8 @@ func (api *oliveTinAPI) ExecutionStatus(ctx ctx.Context, req *connect.Request[ap
 func (api *oliveTinAPI) Logout(ctx ctx.Context, req *connect.Request[apiv1.LogoutRequest]) (*connect.Response[apiv1.LogoutResponse], error) {
 	user := auth.UserFromApiCall(ctx, req, api.cfg)
 
+	auth.RevokeSessionForProvider(api.cfg, user.Provider, user.SID)
+
 	log.WithFields(log.Fields{
 		"username": user.Username,
 		"provider": user.Provider,
  • service/internal/auth/otoauth2/restapi_auth_oauth2.go+6 0 modified
    @@ -391,6 +391,12 @@ func (h *OAuth2Handler) lookupOAuth2UserByState(state string) (*authTypes.Authen
 	return user, true
 }
 
+func (h *OAuth2Handler) RevokeSession(sid string) {
+	h.mu.Lock()
+	defer h.mu.Unlock()
+	delete(h.registeredStates, sid)
+}
+
 func (h *OAuth2Handler) CheckUserFromOAuth2Cookie(context *authTypes.AuthCheckingContext) *authTypes.AuthenticatedUser {
 	cookie, err := context.Request.Cookie("olivetin-sid-oauth")
 	if err != nil || cookie.Value == "" {
  • service/internal/auth/sessions.go+35 2 modified
    @@ -25,8 +25,9 @@ type SessionStorage struct {
 }
 
 var (
-	sessionStorage      *SessionStorage
-	sessionStorageMutex sync.RWMutex
+	sessionStorage       *SessionStorage
+	sessionStorageMutex  sync.RWMutex
+	oauth2SessionRevoker func(sid string)
 )
 
 func init() {
@@ -58,6 +59,38 @@ func RegisterUserSession(cfg *config.Config, provider string, sid string, userna
 	saveUserSessions(cfg)
 }
 
+// RegisterOAuth2SessionRevoker registers a callback to revoke OAuth2 sessions on logout.
+// OAuth2 uses its own session storage; the API calls this when provider is oauth2.
+func RegisterOAuth2SessionRevoker(fn func(sid string)) {
+	oauth2SessionRevoker = fn
+}
+
+// RevokeSessionForProvider invalidates the session for the given provider and SID (e.g. on logout).
+// Local auth uses shared SessionStorage; OAuth2 uses a separate storage and revoker.
+func RevokeSessionForProvider(cfg *config.Config, provider string, sid string) {
+	if sid == "" {
+		return
+	}
+	if provider == "oauth2" && oauth2SessionRevoker != nil {
+		oauth2SessionRevoker(sid)
+		return
+	}
+	RevokeUserSession(cfg, provider, sid)
+}
+
+// RevokeUserSession removes a session from storage so it can no longer be used (e.g. on logout).
+func RevokeUserSession(cfg *config.Config, provider string, sid string) {
+	sessionStorageMutex.Lock()
+	defer sessionStorageMutex.Unlock()
+
+	if sessionStorage.Providers[provider] != nil {
+		delete(sessionStorage.Providers[provider].Sessions, sid)
+		if cfg != nil {
+			saveUserSessions(cfg)
+		}
+	}
+}
+
 // GetUserSession retrieves a user session
 func GetUserSession(provider string, sid string) *UserSession {
 	sessionStorageMutex.Lock()
  • service/internal/httpservers/frontend.go+1 0 modified
    @@ -101,6 +101,7 @@ func StartFrontendMux(cfg *config.Config, ex *executor.Executor) {
 
 	oauth2handler := otoauth2.NewOAuth2Handler(cfg)
 	auth.AddAuthChainFunction(oauth2handler.CheckUserFromOAuth2Cookie)
+	auth.RegisterOAuth2SessionRevoker(oauth2handler.RevokeSession)
 
 	mux.HandleFunc("/oauth/login", oauth2handler.HandleOAuthLogin)
 	mux.HandleFunc("/oauth/callback", oauth2handler.HandleOAuthCallback)

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.