Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
Admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the cookie expired or session secrets were rotated.
This affects applications using Koi admin authentication where an admin session cookie may have been exposed, cached, intercepted, or otherwise retained after logout.
Patches
The issue has been patched by recording admin logout time and rejecting any admin session cookie created before the user’s most recent logout.
Users should upgrade to the patched Koi releases once available.
Workarounds
Katalyst Koi recommends upgrading to the latest available version, or back porting the changes released in 5.6.0/4.20.0
Resources
This is an application of https://guides.rubyonrails.org/v5.2.0/security.html#replay-attacks-for-cookiestore-sessions
AnalysisAI
Session replay vulnerability in Katalyst Koi admin authentication allows attackers with previously captured session cookies to maintain administrative access after legitimate logout. The issue affects Koi versions prior to 4.20.0 and 5.0.0-5.5.x, stemming from inadequate session invalidation that violates Rails security best practices for CookieStore session replay prevention. While the CVSS score of 7.4 reflects network-based attack potential, the AC:H rating and prerequisite of cookie interception significantly reduce real-world exploitation probability. No evidence of active exploitation or public POC exists at time of analysis, and vendor-released patches are available for both affected version ranges.
Technical ContextAI
This vulnerability affects the Katalyst Koi Ruby gem (pkg:rubygems/katalyst-koi), an admin interface framework for Rails applications. The root cause is CWE-613 (Insufficient Session Expiration), a common web application security flaw where session tokens remain valid after logout events. Rails applications using CookieStore for session management are particularly susceptible to replay attacks because session data is stored client-side in signed cookies rather than server-side. Without explicit logout timestamp tracking and validation, the application cannot distinguish between a valid active session and a replayed cookie from a terminated session. The patch implements the Rails security guide recommendation by recording logout timestamps server-side and rejecting any session cookie with a creation time predating the user's most recent logout, effectively implementing stateful session termination in an otherwise stateless cookie-based authentication scheme.
RemediationAI
Organizations should upgrade to Katalyst Koi version 4.20.0 for the 4.x release line or version 5.6.0 for the 5.x release line, as confirmed by the vendor security advisory at https://github.com/katalyst/koi/security/advisories/GHSA-4cx3-3c38-j9vv. The patches implement logout timestamp tracking to prevent session cookie replay attacks. For environments where immediate upgrading is not feasible, the vendor recommends back-porting the specific changes released in these versions, though this requires code modification expertise and ongoing maintenance burden. As a temporary compensating control, organizations can rotate Rails session secrets to immediately invalidate all existing session cookies, though this forces re-authentication for all current admin users and does not prevent future replay attacks post-rotation. Another partial mitigation is restricting admin access to trusted networks only via firewall rules or VPN requirements, reducing cookie interception opportunities, but this does not address scenarios where cookies are exposed through browser cache, shared workstations, or client-side vulnerabilities. Network-level controls provide defense-in-depth but should not substitute for applying the vendor patch, which is the only complete remediation.
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30329
GHSA-4cx3-3c38-j9vv