CVE-2026-44511

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-44511

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-44511.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-44511

Aliases

GHSA-4cx3-3c38-j9vv

Published

2026-05-14T16:17:29.187Z

Modified

2026-05-18T06:00:51.844072359Z

Severity

7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Katalyst Koi: Session cookies can be replayed after user logout

Details

Katalyst Koi is a framework for building Rails admin functionality. Prior to 4.20.0 and 5.6.0, admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the cookie expired or session secrets were rotated. This vulnerability is fixed in 4.20.0 and 5.6.0.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44511.json",
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "last_affected": ">= 5.0.0 <= 5.6.0"
                }
            ]
        }
    ],
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-613"
    ]
}

References

Affected packages

Git / github.com/katalyst/koi

Affected ranges

Type

GIT

Repo

https://github.com/katalyst/koi

Events

Introduced

Fixed

e9be7ce7ca5c9082f92c64b09f467052a574473a

Database specific

{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.20.0"
        }
    ]
}

Affected versions

v1.*

v1.0.0-rc.1

v1.0.0-rc.2

v1.0.0-rc.3

v1.0.0-rc.4

v1.0.0.rc5

v1.0.0.rc6

v1.0.0.rc7

v1.1.0.rc1

v1.1.0.rc2

v1.1.0.rc3

v1.1.0.rc4

v1.1.0.rc5

v2.*

v2.2.0

v2.2.1

v2.3.0

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.4.1

v2.4.10

v2.4.11

v2.4.12

v2.4.13

v2.4.2

v2.4.3

v2.4.4

v2.4.5

v2.4.6

v2.4.7

v2.4.8

v2.4.9

v2.5.0

v2.5.1

v2.5.2

v2.5.3

v2.6.0

v2.6.1

v2.6.2

v2.6.3

v2.6.4

v2.7.0

v4.*

v4.0.0

v4.0.1

v4.0.2

v4.0.3

v4.1.0

v4.1.1

v4.1.2

v4.10.0

v4.10.1

v4.10.2

v4.10.3

v4.11.0

v4.11.1

v4.11.2

v4.12.0

v4.12.1

v4.12.2

v4.12.3

v4.12.4

v4.12.5

v4.12.6

v4.13.0

v4.13.2

v4.14.0

v4.14.1

v4.14.2

v4.14.3

v4.15.0

v4.15.1

v4.16.0

v4.17.0

v4.17.1

v4.18.0

v4.18.1

v4.19.0

v4.2.0

v4.2.0.beta.1

v4.2.0.beta.2

v4.2.1

v4.3.0

v4.3.0.beta.2

v4.3.0.beta.3

v4.3.0.pre.beta

v4.3.1

v4.3.2

v4.3.3

v4.3.4

v4.3.5

v4.4.0

v4.4.1

v4.5.0

v4.5.0.beta.1

v4.5.0.beta.2

v4.5.1

v4.5.2

v4.5.3

v4.5.4

v4.5.5

v4.5.6

v4.5.7

v4.5.8

v4.5.9

v4.6.0

v4.7.0

v4.7.1

v4.7.2

v4.7.3

v4.8.0

v4.8.1

v4.9.0

v4.9.1

v4.9.2

v4.9.3

v4.9.4

v4.9.5

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-44511.json"