GHSA-gq2m-77hf-vwgh: OliveTin Session Fixation: Logout Fails to Invalidate Server-Side Session

March 5, 2026

OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default ≈ 1 year).

An attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass.

This is a session management flaw that violates expected logout semantics.

References

github.com/OliveTin/OliveTin
github.com/OliveTin/OliveTin/commit/d6a0abc3755d43107be1939567c52953bcbec3d5
github.com/OliveTin/OliveTin/releases/tag/3000.11.1
github.com/OliveTin/OliveTin/security/advisories/GHSA-gq2m-77hf-vwgh
github.com/advisories/GHSA-gq2m-77hf-vwgh

Code Behaviors & Features

Detect and mitigate GHSA-gq2m-77hf-vwgh with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →