Listen to this Post
How CVE-2026-44511 Works
CVE-2026-44511 stems from improper session invalidation in Katalyst Koi’s admin authentication. When an admin user logs out, the application does not mark the session cookie as expired or invalid. The session cookie remains valid until its natural expiration time or until a manual rotation of session secrets occurs. An attacker who has previously intercepted, stolen, or otherwise gained access to a valid admin session cookie can replay that cookie even after the legitimate admin has logged out. The application continues to accept the old cookie because it has no way to distinguish between a valid post‑logout session and an active one. The root cause is the omission of a per‑user logout timestamp in the session store. Without this timestamp, the application cannot reject cookies that were issued before the user’s most recent logout. The flaw is a classic session replay vulnerability in a cookie‑based store. Patched versions fix the issue by recording the admin’s last logout time and comparing it with the creation time of any incoming session cookie. Any cookie created before that logout time is automatically rejected. This ensures that a stolen cookie becomes worthless as soon as the legitimate user performs a fresh logout.
DailyCVE Form
Platform: Katalyst Koi
Version: <4.20.0,5.0.0-5.6.0
Vulnerability : Session cookie replay
Severity: High
date: May 7,2026
Prediction: Already patched 2026-05-07
Analytics under heading What Undercode Say:
Detect vulnerable Koi instances grep \"katalyst-koi\" Gemfile.lock | grep -E \" (<4\.20\.0|5\.[0-5]\.[0-9])\" Monitor for suspicious session reuse tail -f /var/log/koi/access.log | grep \"admin\" | grep -E \"Cookie:.koi_session\" Simple replay test (requires a captured cookie) curl -X GET https://target/admin/dashboard \ -b \"koi_session=STOLEN_SESSION_COOKIE_VALUE\" \ -v
how Exploit:
1. Intercept a valid admin session cookie during a legitimate admin login.
2. Wait for the admin to explicitly log out of the application.
3. Replay the intercepted cookie by injecting it into a new HTTP request (e.g., using curl, Burp Suite, or a custom script).
4. Observe that the application grants full admin access despite the admin having logged out.
5. Persist admin access until the cookie’s natural expiry or a manual rotation of session secrets.
Protection from this CVE
– Upgrade to Koi 4.20.0 or 5.6.0 (or any later version).
– If upgrading immediately is not possible, backport the patch that records admin logout time and rejects pre‑logout cookies.
– Rotate session secrets periodically to force invalidation of all existing session cookies.
– Implement short session expiry times for admin sessions to reduce the window of opportunity.
Impact
– An attacker with a stolen admin session cookie can maintain unlimited access to admin functionality after the legitimate admin has logged out.
– The attacker can perform any admin‑privileged action (e.g., change configurations, access sensitive data, create backdoors) without needing the admin’s credentials again.
– The vulnerability undermines the explicit logout guarantee, breaking the expected security boundary.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
