NIXPKGS-2026-0538

GitHub issue published on 7 Mar 2026

Permalink CVE-2026-30224

updated 18 hours ago by @mweinelt Activity log

Created automatic suggestion 1 day, 7 hours ago
@mweinelt accepted 18 hours ago
@mweinelt published on GitHub 18 hours ago

OliveTin: Session Fixation - Logout Fails to Invalidate Server-Side Session

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default ≈ 1 year). An attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass. This is a session management flaw that violates expected logout semantics. This issue has been patched in version 3000.11.1.

References

https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1 x_refsource_MISC
https://github.com/OliveTin/OliveTin/security/advisories/GHSA-gq2m-77hf-vwgh x_refsource_CONFIRM
https://github.com/OliveTin/OliveTin/commit/d6a0abc3755d43107be1939567c52953bcbec3d5 x_refsource_MISC

Affected products

OliveTin

==< 3000.11.1

Matching in nixpkgs

pkgs.olivetin

Gives safe and simple access to predefined shell commands from a web interface

nixos-unstable 2025.11.25
- nixpkgs-unstable 2025.11.25
- nixos-unstable-small 2025.11.25
nixos-25.11 2025.11.25
- nixos-25.11-small 2025.11.25
- nixpkgs-25.11-darwin 2025.11.25

Package maintainers

@Defelo Defelo

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0538

References

Affected products

Matching in nixpkgs

pkgs.olivetin

Package maintainers