Description
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default ≈ 1 year). An attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass. This is a session management flaw that violates expected logout semantics. This issue has been patched in version 3000.11.1.
Published: 2026-03-06
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Post‑logout session hijacking allowing unauthorized execution of pre‑defined shell commands
Action: Patch
AI Analysis

Impact

OliveTin does not invalidate server‑side session data when a user logs out. Although the browser cookie is cleared, the server retains the session until its default expiry of about one year, meaning an attacker who obtains a session cookie can continue authenticating after a user has supposedly logged out. This flaw permits a privileged attacker to bypass logout protections and gain unauthorized access to the web interface’s command functionality, which could lead to remote command execution on the host system.

Affected Systems

Any installation of OliveTin running a version prior to 3000.11.1 is affected. The vulnerability exists in all OliveTin products listed under the CNA entry OliveTin:OliveTin. No specific deployment configurations are mentioned, so any exposed oliveTin instance could be at risk if it has not been updated.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. The EPSS score is less than 1%, suggesting that exploitation probability is low, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via the web interface; it requires an attacker to capture a session cookie, which is feasible through network eavesdropping or phishing. Once in possession of the cookie, the attacker can maintain access until the server‑side session expires. Because the flaw involves server‑side session persistence rather than a code execution path, audit and network monitoring can provide early detection, though the most effective risk mitigation is patching.

Generated by OpenCVE AI on April 16, 2026 at 11:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OliveTin to version 3000.11.1 or later to ensure logout invalidates server‑side session data
  • If upgrade is delayed, remove or expire orphaned session entries in the OliveTin session store and revoke any active tokens through administrative tooling
  • Apply appropriate network and session monitoring to detect reused session cookies and restrict user privileges until the fix is in place

Generated by OpenCVE AI on April 16, 2026 at 11:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gq2m-77hf-vwgh OliveTin Session Fixation: Logout Fails to Invalidate Server-Side Session
History

Thu, 12 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:olivetin:olivetin:*:*:*:*:*:*:*:*

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Olivetin
Olivetin olivetin
Vendors & Products Olivetin
Olivetin olivetin

Fri, 06 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default ≈ 1 year). An attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass. This is a session management flaw that violates expected logout semantics. This issue has been patched in version 3000.11.1.
Title OliveTin: Session Fixation - Logout Fails to Invalidate Server-Side Session
Weaknesses CWE-384
CWE-613
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Olivetin Olivetin
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:54:29.979Z

Reserved: 2026-03-04T17:23:59.797Z

Link: CVE-2026-30224

cve-icon Vulnrichment

Updated: 2026-03-09T20:51:38.360Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T21:16:16.280

Modified: 2026-03-12T15:57:33.710

Link: CVE-2026-30224

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:15:27Z

Weaknesses