CVE-2026-44511
HIGHKatalyst Koi: Session cookies can be replayed after user logout
Title source: cnaDescription
Katalyst Koi is a framework for building Rails admin functionality. Prior to 4.20.0 and 5.6.0, admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the cookie expired or session secrets were rotated. This vulnerability is fixed in 4.20.0 and 5.6.0.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/katalyst/koi/security/advisories/GHSA-4cx3-3c38-j9vv
Scores
CVSS v3
7.4
EPSS
0.0004
EPSS Percentile
11.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-613
Status
published
Products (4)
katalyst/koi
< 4.20.0
katalyst/koi
>= 5.0.0 <= 5.6.0
rubygems/katalyst-koi
0 - 4.20.0RubyGems
rubygems/katalyst-koi
5.0.0 - 5.6.0RubyGems
Published
May 14, 2026
Tracked Since
May 14, 2026