CVE-2026-44511: katalyst-koi: Session cookies can be replayed after user logout

May 7, 2026

Admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the cookie expired or session secrets were rotated.

This affects applications using Koi admin authentication where an admin session cookie may have been exposed, cached, intercepted, or otherwise retained after logout.

References

github.com/advisories/GHSA-4cx3-3c38-j9vv
github.com/katalyst/koi
github.com/katalyst/koi/security/advisories/GHSA-4cx3-3c38-j9vv
guides.rubyonrails.org/v5.2.0/security.html
nvd.nist.gov/vuln/detail/CVE-2026-44511

Code Behaviors & Features

Detect and mitigate CVE-2026-44511 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →