katalyst-koi: Session cookies can be replayed after user logout — CVE-2026-44511
GHSA · GitHub · CVE-2026-44511
ID
CVE-2026-44511
CVE-2026-44511
Date
Updated
Activity
Source
GHSA
GHSA
Vendor
GitHub
GitHub
Threat
high
high
CVSS
7.4
7.4
Summary
### Impact Admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the cookie expired or session secrets were rotated. This affects applications using Koi admin authentication where an admin session cookie may have been exposed, cached, intercepted, or otherwise retained after…
Product
rubygems: katalyst-koi
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.