EUVD-2026-30329
GHSA-4cx3-3c38-j9vv
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionNVD
Impact
Admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the cookie expired or session secrets were rotated.
This affects applications using Koi admin authentication where an admin session cookie may have been exposed, cached, intercepted, or otherwise retained after logout.
Patches
The issue has been patched by recording admin logout time and rejecting any admin session cookie created before the user’s most recent logout.
Users should upgrade to the patched Koi releases once available.
Workarounds
Katalyst Koi recommends upgrading to the latest available version, or back porting the changes released in 5.6.0/4.20.0
Resources
This is an application of https://guides.rubyonrails.org/v5.2.0/security.html#replay-attacks-for-cookiestore-sessions
AnalysisAI
Session replay vulnerability in Katalyst Koi admin authentication allows attackers with previously captured session cookies to maintain administrative access after legitimate logout. The issue affects Koi versions prior to 4.20.0 and 5.0.0-5.5.x, stemming from inadequate session invalidation that violates Rails security best practices for CookieStore session replay prevention. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: identify all Katalyst Koi instances and their current versions (check config/version.rb and admin interface version display). Within 7 days: apply vendor patches immediately-upgrade to Koi 4.20.0 or later for 4.x installations, and to 5.6.0 or later for 5.x installations; test patched versions in staging environment before production rollout. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today