EXECUTIVE SUMMARY:
CVE-2026-44511, with a CVSS score of 7.4, is a session management vulnerability in applications using Koi admin authentication where admin session cookies were not invalidated upon logout. As a result, if an attacker obtained or retained a valid admin session cookie , they could continue accessing admin functionality even after the legitimate user logged out, until the cookie naturally expired or session secrets were rotated. The issue stems from missing logout-based session invalidation, allowing replay of previously issued admin sessions. It has been fixed by introducing a mechanism that records the admin’s logout time and rejects any session cookies created before the most recent logout event. Users are advised to apply the patched fixes to mitigate the risk.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-44511, with a CVSS score of 7.4, is a session management vulnerability in applications using Koi admin authentication where admin session cookies were not invalidated upon logout. As a result, if an attacker obtained or retained a valid admin session cookie , they could continue accessing admin functionality even after the legitimate user logged out, until the cookie naturally expired or session secrets were rotated. The issue stems from missing logout-based session invalidation, allowing replay of previously issued admin sessions. It has been fixed by introducing a mechanism that records the admin’s logout time and rejects any session cookies created before the most recent logout event. Users are advised to apply the patched fixes to mitigate the risk.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update katalyst-koi to version 4.20.0 or 5.6.0 or later.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-4cx3-3c38-j9vv