GHSA-4cx3-3c38-j9vv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4cx3-3c38-j9vv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-4cx3-3c38-j9vv/GHSA-4cx3-3c38-j9vv.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-4cx3-3c38-j9vv
- Aliases
- Published
- 2026-05-07T02:13:42Z
- Modified
- 2026-05-14T21:00:19.549173851Z
- Severity
-
- 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- katalyst-koi: Session cookies can be replayed after user logout
- Details
-
Impact
Admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the cookie expired or session secrets were rotated.
This affects applications using Koi admin authentication where an admin session cookie may have been exposed, cached, intercepted, or otherwise retained after logout.
Patches
The issue has been patched by recording admin logout time and rejecting any admin session cookie created before the user’s most recent logout.
Users should upgrade to the patched Koi releases once available.
Workarounds
Katalyst Koi recommends upgrading to the latest available version, or back porting the changes released in 5.6.0/4.20.0
Resources
This is an application of https://guides.rubyonrails.org/v5.2.0/security.html#replay-attacks-for-cookiestore-sessions
- Database specific
{ "github_reviewed_at": "2026-05-07T02:13:42Z", "cwe_ids": [ "CWE-613" ], "github_reviewed": true, "severity": "HIGH", "nvd_published_at": "2026-05-14T17:16:22Z" }- References
Affected packages
RubyGems / katalyst-koi
Package
- Name
- katalyst-koi
- Purl
- pkg:gem/katalyst-koi
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.20.0
Affected versions
4.*
RubyGems / katalyst-koi
Package
- Name
- katalyst-koi
- Purl
- pkg:gem/katalyst-koi