{"id":"CVE-2026-44511","summary":"Katalyst Koi: Session cookies can be replayed after user logout","details":"Katalyst Koi is a framework for building Rails admin functionality. Prior to 4.20.0 and 5.6.0, admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the cookie expired or session secrets were rotated. This vulnerability is fixed in 4.20.0 and 5.6.0.","aliases":["GHSA-4cx3-3c38-j9vv"],"modified":"2026-05-18T06:00:51.844072359Z","published":"2026-05-14T16:17:29.187Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44511.json","unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"last_affected":"\u003e= 5.0.0 \u003c= 5.6.0"}]}],"cwe_ids":["CWE-613"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44511.json"},{"type":"ADVISORY","url":"https://github.com/katalyst/koi/security/advisories/GHSA-4cx3-3c38-j9vv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44511"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/katalyst/koi","events":[{"introduced":"0"},{"fixed":"e9be7ce7ca5c9082f92c64b09f467052a574473a"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"4.20.0"}]}}],"versions":["v4.19.0","v4.18.1","v4.18.0","v4.17.1","v4.17.0","v4.16.0","v4.15.1","v4.15.0","v4.14.3","v4.14.2","v4.14.1","v4.14.0","v4.13.2","v4.13.0","v4.12.6","v4.12.5","v4.12.4","v4.12.3","v4.12.2","v4.12.1","v4.12.0","v4.11.2","v4.11.1","v4.11.0","v4.10.3","v4.10.2","v4.10.1","v4.10.0","v4.9.5","v4.9.4","v4.9.3","v4.9.2","v4.9.1","v4.9.0","v4.8.1","v4.8.0","v4.7.3","v4.7.2","v4.7.1","v4.7.0","v4.6.0","v4.5.9","v4.5.8","v4.5.7","v4.5.6","v4.5.5","v4.5.4","v4.5.3","v4.5.2","v4.5.1","v4.5.0","v4.5.0.beta.2","v4.5.0.beta.1","v4.4.1","v4.4.0","v4.3.5","v4.3.4","v4.3.3","v4.3.2","v4.3.1","v4.3.0","v4.3.0.beta.3","v4.3.0.beta.2","v4.3.0.pre.beta","v4.2.1","v4.2.0","v4.2.0.beta.2","v4.2.0.beta.1","v4.1.2","v4.1.1","v4.1.0","v4.0.3","v4.0.2","v4.0.1","v4.0.0","v2.6.4","v2.7.0","v2.6.3","v2.6.2","v2.6.1","v2.6.0","v2.5.3","v2.4.13","v2.5.2","v2.5.1","v2.5.0","v2.2.0","v2.4.12","v2.4.11","v2.4.10","v2.4.9","v2.4.8","v2.4.7","v2.4.6","v2.4.5","v2.4.4","v2.4.3","v2.4.2","v2.3.6","v2.4.1","v2.3.5","v2.3.4","v2.3.3","v2.3.2","v2.3.0","v2.2.1","v1.1.0.rc5","v1.1.0.rc4","v1.1.0.rc3","v1.1.0.rc2","v1.1.0.rc1","v1.0.0.rc7","v1.0.0.rc6","v1.0.0.rc5","v1.0.0-rc.4","v1.0.0-rc.3","v1.0.0-rc.2","v1.0.0-rc.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-44511.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}