PT-2026-38363 · Unknown · Katalyst-Koi
Published
2026-05-07
·
Updated
2026-05-07
·
CVE-2026-44511
CVSS v3.1
7.4
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Katalyst Koi versions prior to 5.6.0
Katalyst Koi versions prior to 4.20.0
Description
Admin session cookies are not invalidated upon logout. This allows an attacker who has obtained a valid admin session cookie—through exposure, caching, or interception—to maintain access to administrative functionality until the cookie expires or session secrets are rotated. This issue is a form of session replay, where a previously valid session is reused to gain unauthorized access.
Recommendations
Upgrade to version 5.6.0 or later.
Upgrade to version 4.20.0 or later.
Fix
Insufficient Session Expiration
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Katalyst-Koi