Description
Katalyst Koi is a framework for building Rails admin functionality. Prior to 4.20.0 and 5.6.0, admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the cookie expired or session secrets were rotated. This vulnerability is fixed in 4.20.0 and 5.6.0.
Published: 2026-05-14
Score: 7.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A valid admin session cookie remains usable after the user has logged out, allowing an attacker with access to the cookie to continue to perform privileged actions until the cookie naturally expires or the session secrets are changed. The flaw stems from failure to invalidate the session on logout, a weakness classified as CWE‑613. This can lead to unauthorized continued administrative access, data exposure, and potential modification of system settings.

Affected Systems

The issue affects the Katalyst Koi framework for Rails admin interfaces. Versions prior to 4.20.0 in the 4.x line and prior to 5.6.0 in the 5.x line are vulnerable. Later releases incorporate the fix that invalidates the session upon logout.

Risk and Exploitability

The CVSS score of 7.4 indicates a high severity vulnerability. Because the session cookie can be captured or accessed by an attacker after logout, the attack vector is likely local or remote depending on how the cookie is intercepted; the vulnerability does not require privileged code execution or privilege escalation beyond the initial compromised cookie. EPSS data is not available, and the vulnerability is not listed in the KEV catalog, suggesting the exploitation may not yet be widespread in the wild. However, the impact of allowing continued privileged access remains serious.

Generated by OpenCVE AI on May 14, 2026 at 18:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Katalyst Koi to version 4.20.0 or later in the 4.x line, or to 5.6.0 or later in the 5.x line.
  • Rotate session secrets immediately to invalidate all current session cookies.
  • If upgrading is not yet possible, disable persistent login features or enforce short session expiration times to limit the window of replayability.

Generated by OpenCVE AI on May 14, 2026 at 18:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4cx3-3c38-j9vv katalyst-koi: Session cookies can be replayed after user logout
History

Thu, 14 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Katalyst Koi is a framework for building Rails admin functionality. Prior to 4.20.0 and 5.6.0, admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the cookie expired or session secrets were rotated. This vulnerability is fixed in 4.20.0 and 5.6.0.
Title Katalyst Koi: Session cookies can be replayed after user logout
Weaknesses CWE-613
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T18:34:47.908Z

Reserved: 2026-05-06T18:28:20.887Z

Link: CVE-2026-44511

cve-icon Vulnrichment

Updated: 2026-05-14T18:34:42.735Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T17:16:22.760

Modified: 2026-05-14T18:19:25.260

Link: CVE-2026-44511

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T19:00:13Z

Weaknesses