CVE-2026-30224

Name of the Vulnerable Software and Affected Versions OliveTin versions prior to 3000.11.1

Description OliveTin does not properly invalidate server-side sessions upon user logout. Although the browser cookie is cleared during logout, the corresponding session remains valid in server storage until its natural expiry, which defaults to approximately one year. An attacker possessing a previously stolen or captured session cookie can continue to authenticate after the user has logged out, resulting in a post-logout authentication bypass. This is a session management flaw that violates expected logout semantics. The issue stems from the failure to delete the session identifier (SID) from server-side storage during the logout process. Specifically, the api.go, sessions.go, and local.go files, lines 392-427, 39-59, 61-80, and 32-47 respectively, are involved in the flawed session management. The vulnerability allows an attacker to replay an old SID after logout to maintain authentication. The affected API endpoint is /api/Logout and /api/WhoAmI. The vulnerable variable is sid.

Recommendations Versions prior to 3000.11.1 should be updated to version 3000.11.1 or later to resolve the issue.