CVE-2026-30224
OliveTin: Session Fixation - Logout Fails to Invalidate Server-Side Session
CVSS Score
5.4
EPSS Score
0.0%
EPSS Percentile
0th
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default โ 1 year). An attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass. This is a session management flaw that violates expected logout semantics. This issue has been patched in version 3000.11.1.
| CWE | CWE-384 CWE-613 |
| Vendor | olivetin |
| Product | olivetin |
| Published | Mar 6, 2026 |
| Last Updated | Mar 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for olivetin olivetin
Be the first to know when new medium vulnerabilities affecting olivetin olivetin are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
OliveTin / OliveTin
< 3000.11.1