Skip to main content

Katalyst Koi EUVDEUVD-2026-30329

| CVE-2026-44511 HIGH
Insufficient Session Expiration (CWE-613)
2026-05-07 https://github.com/katalyst/koi GHSA-4cx3-3c38-j9vv
7.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 07, 2026 - 02:31 vuln.today
Analysis Generated
May 07, 2026 - 02:31 vuln.today
CVE Published
May 07, 2026 - 02:13 nvd
HIGH 7.4

DescriptionGitHub Advisory

Impact

Admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the cookie expired or session secrets were rotated.

This affects applications using Koi admin authentication where an admin session cookie may have been exposed, cached, intercepted, or otherwise retained after logout.

Patches

The issue has been patched by recording admin logout time and rejecting any admin session cookie created before the user’s most recent logout.

Users should upgrade to the patched Koi releases once available.

Workarounds

Katalyst Koi recommends upgrading to the latest available version, or back porting the changes released in 5.6.0/4.20.0

Resources

This is an application of https://guides.rubyonrails.org/v5.2.0/security.html#replay-attacks-for-cookiestore-sessions

AnalysisAI

Session replay vulnerability in Katalyst Koi admin authentication allows attackers with previously captured session cookies to maintain administrative access after legitimate logout. The issue affects Koi versions prior to 4.20.0 and 5.0.0-5.5.x, stemming from inadequate session invalidation that violates Rails security best practices for CookieStore session replay prevention. While the CVSS score of 7.4 reflects network-based attack potential, the AC:H rating and prerequisite of cookie interception significantly reduce real-world exploitation probability. No evidence of active exploitation or public POC exists at time of analysis, and vendor-released patches are available for both affected version ranges.

Technical ContextAI

This vulnerability affects the Katalyst Koi Ruby gem (pkg:rubygems/katalyst-koi), an admin interface framework for Rails applications. The root cause is CWE-613 (Insufficient Session Expiration), a common web application security flaw where session tokens remain valid after logout events. Rails applications using CookieStore for session management are particularly susceptible to replay attacks because session data is stored client-side in signed cookies rather than server-side. Without explicit logout timestamp tracking and validation, the application cannot distinguish between a valid active session and a replayed cookie from a terminated session. The patch implements the Rails security guide recommendation by recording logout timestamps server-side and rejecting any session cookie with a creation time predating the user's most recent logout, effectively implementing stateful session termination in an otherwise stateless cookie-based authentication scheme.

RemediationAI

Organizations should upgrade to Katalyst Koi version 4.20.0 for the 4.x release line or version 5.6.0 for the 5.x release line, as confirmed by the vendor security advisory at https://github.com/katalyst/koi/security/advisories/GHSA-4cx3-3c38-j9vv. The patches implement logout timestamp tracking to prevent session cookie replay attacks. For environments where immediate upgrading is not feasible, the vendor recommends back-porting the specific changes released in these versions, though this requires code modification expertise and ongoing maintenance burden. As a temporary compensating control, organizations can rotate Rails session secrets to immediately invalidate all existing session cookies, though this forces re-authentication for all current admin users and does not prevent future replay attacks post-rotation. Another partial mitigation is restricting admin access to trusted networks only via firewall rules or VPN requirements, reducing cookie interception opportunities, but this does not address scenarios where cookies are exposed through browser cache, shared workstations, or client-side vulnerabilities. Network-level controls provide defense-in-depth but should not substitute for applying the vendor patch, which is the only complete remediation.

Share

EUVD-2026-30329 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy