Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
5.4

OliveTin: Persistent access after logging out

CVE-2026-30224 GHSA-gq2m-77hf-vwgh GHSA-gq2m-77hf-vwgh
Summary

A security flaw in OliveTin allows an attacker to keep accessing the system even after a user has logged out. This can happen if an attacker has previously stolen or captured a user's login cookie. To fix this issue, update to version 3000.11.1 or later.

What to do
  • Update github.com olivetin to version 0.0.0-20260304233115-d6a0abc3755d15.
  • Update olivetin github.com/olivetin/olivetin to version 0.0.0-20260304233115-d6a0abc3755d15.
Affected software
VendorProductAffected versionsFix available
github.com olivetin <= 0.0.0-20260304233115-d6a0abc3755d15 0.0.0-20260304233115-d6a0abc3755d15
olivetin github.com/olivetin/olivetin <= 0.0.0-20260304233115-d6a0abc3755d15 0.0.0-20260304233115-d6a0abc3755d15
olivetin olivetin <= 3000.11.1
Original title
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie ...
Original description
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default ≈ 1 year). An attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass. This is a session management flaw that violates expected logout semantics. This issue has been patched in version 3000.11.1.
nvd CVSS3.1 5.4
Vulnerability type
CWE-384
CWE-613
Published: 6 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026