CVE-2026-30224

MEDIUM EPSS 21.9%
Published Mar 6, 20263mo ago · Modified Jun 17, 20261w ago
5.4 CVSS 3.1
Medium
Find Similar
Published Mar 6, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default ≈ 1 year). An attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass. This is a session management flaw that violates expected logout semantics. This issue has been patched in version 3000.11.1.

CVSS Details

Base Score
5.4
Exploitability
2.8
Impact
2.5
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
21.9% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-384
CWE-613

Affected Products 1

VendorProductVersionRange
olivetinolivetin* <3000.11.1

References 3

  • github.com https://github.com/OliveTin/OliveTin/commit/d6a0abc3755d43107be1939567c52953bcbec3d5
    Patch
  • github.com https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1
    ProductRelease Notes
  • github.com https://github.com/OliveTin/OliveTin/security/advisories/GHSA-gq2m-77hf-vwgh
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/OliveTin/OliveTin/commit/d6a0abc3755d43107be1939567c52953bcbec3d5
    Patch