CVE-2026-30224
Received Received - Intake
Post-Logout Session Fixation in OliveTin Web Interface

Publication date: 2026-03-06

Last updated on: 2026-03-12

Assigner: GitHub, Inc.

Description
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default β‰ˆ 1 year). An attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass. This is a session management flaw that violates expected logout semantics. This issue has been patched in version 3000.11.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-12
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30224
EUVD
EUVD-2026-10073
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
olivetin olivetin to 3000.11.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-384 Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30224 is a session fixation vulnerability in OliveTin versions prior to 3000.11.1. The issue arises because when a user logs out, the server does not invalidate the server-side session associated with that user. Although the browser cookie is cleared, the session identifier (SID) remains valid on the server until it expires, which can be about one year by default.

This means an attacker who has previously stolen or captured a valid session cookie can reuse it after the user logs out, effectively bypassing the logout process and continuing to authenticate as that user. The vulnerability is due to a failure to revoke or delete the session on the server side during logout, violating expected logout semantics.

Impact Analysis

This vulnerability allows an attacker with access to a stolen or captured session cookie to continue accessing the OliveTin application as the victim even after the victim has logged out. This results in a post-logout authentication bypass.

The impact includes persistent unauthorized access, which can lead to exposure of sensitive information or unauthorized actions within the application. Users may be misled into believing their session ended upon logout, while attackers can maintain access for up to the session expiry period (approximately one year by default).

  • Risks are higher in environments with shared computers, cross-site scripting (XSS), session theft, proxy logs, malware, or browser compromise.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by verifying whether server-side sessions remain valid after a user logs out. Specifically, if a session cookie (SID) that was previously used can still be replayed to gain authenticated access after logout, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'A practical detection method involves these steps:'}, {'type': 'list_item', 'content': 'Log in to the OliveTin web interface and capture the session cookie (SID).'}, {'type': 'list_item', 'content': 'Log out from the application, which clears the cookie client-side.'}, {'type': 'list_item', 'content': 'Attempt to reuse the captured SID cookie in subsequent requests to the server.'}, {'type': 'paragraph', 'content': 'If the server accepts the old SID cookie and grants authenticated access, the vulnerability is present.'}, {'type': 'paragraph', 'content': 'While no specific commands are provided in the resources, you can use tools like curl or browser developer tools to capture and replay cookies. For example, using curl to send a request with the old SID cookie:'}, {'type': 'list_item', 'content': 'curl -H "Cookie: SID=old_session_id" https://your-olivetin-server/path'}, {'type': 'paragraph', 'content': 'If the response indicates an authenticated session, the vulnerability exists.'}] [2]

Mitigation Strategies

The immediate and recommended mitigation is to upgrade OliveTin to version 3000.11.1 or later, where the vulnerability has been fixed by properly revoking server-side sessions upon logout.

The fix ensures that when a user logs out, the server invalidates the session ID (SID) in its session storage, preventing reuse of stale session cookies.

If upgrading immediately is not possible, consider these temporary mitigations:

  • Manually clear or expire server-side session storage to invalidate existing sessions.
  • Reduce the session expiration time from the default (~1 year) to a much shorter period to limit the window of session reuse.
  • Implement additional monitoring for suspicious reuse of old session cookies.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30224. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart