Moderate severityNVD Advisory· Published Mar 6, 2026· Updated Mar 9, 2026
OliveTin: Session Fixation - Logout Fails to Invalidate Server-Side Session
CVE-2026-30224
Description
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default ≈ 1 year). An attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass. This is a session management flaw that violates expected logout semantics. This issue has been patched in version 3000.11.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/OliveTin/OliveTinGo | < 0.0.0-20260304233115-d6a0abc3755d15 | 0.0.0-20260304233115-d6a0abc3755d15 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/olivetin/olivetinpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 0.0.0-20260304233115-d6a0abc3755d15+ 1 more
- (no CPE)range: < 0.0.0-20260304233115-d6a0abc3755d15
- (no CPE)range: < 0.0.20260317T205859-150000.1.152.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-gq2m-77hf-vwghghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-30224ghsaADVISORY
- github.com/OliveTin/OliveTin/commit/d6a0abc3755d43107be1939567c52953bcbec3d5ghsax_refsource_MISCWEB
- github.com/OliveTin/OliveTin/releases/tag/3000.11.1ghsax_refsource_MISCWEB
- github.com/OliveTin/OliveTin/security/advisories/GHSA-gq2m-77hf-vwghghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.