CVE-2026-44511 PUBLISHED

Katalyst Koi: Session cookies can be replayed after user logout

Assigner: GitHub_M
Reserved: 06.05.2026 Published: 14.05.2026 Updated: 14.05.2026

Katalyst Koi is a framework for building Rails admin functionality. Prior to 4.20.0 and 5.6.0, admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the cookie expired or session secrets were rotated. This vulnerability is fixed in 4.20.0 and 5.6.0.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS Score: 7.4

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	katalyst
Product	koi
Versions	Version < 4.20.0 is affected Version >= 5.0.0 <= 5.6.0 is affected

References

https://github.com/katalyst/koi/security/advisories/GHSA-4cx3-3c38-j9vv

Problem Types

CWE-613: Insufficient Session Expiration CWE