CVE-2026-30224 Overview
OliveTin is a web-based application that provides access to predefined shell commands through a browser interface. A session fixation vulnerability exists in versions prior to 3000.11.1 where OliveTin fails to revoke server-side sessions when a user logs out. Although the browser cookie is cleared during logout, the corresponding session remains valid in server storage until expiry (default approximately 1 year). An attacker who has previously stolen or captured a session cookie can continue authenticating after the legitimate user has logged out, resulting in a post-logout authentication bypass.
Critical Impact
This session management flaw allows attackers with captured session cookies to maintain persistent unauthorized access to OliveTin interfaces, potentially enabling execution of predefined shell commands even after the legitimate user believes their session has ended.
Affected Products
- OliveTin versions prior to 3000.11.1
- OliveTin web interface with authentication enabled
- Systems using OliveTin's OAuth2 authentication provider
Discovery Timeline
- 2026-03-06 - CVE CVE-2026-30224 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-30224
Vulnerability Analysis
This vulnerability is classified as CWE-384 (Session Fixation), a session management flaw that violates expected logout semantics. When a user initiates a logout through the OliveTin web interface, the application properly clears the browser-side cookie but fails to invalidate the corresponding session token stored on the server. This creates a window where previously captured session identifiers remain functional for the duration of their original expiry period.
The attack requires prior access to a valid session cookie, which could be obtained through various means including network interception, cross-site scripting attacks, or physical access to the user's browser. Once obtained, the session cookie can be reused to authenticate as the victim user even after they have explicitly logged out, effectively defeating the purpose of the logout functionality.
Root Cause
The root cause lies in the incomplete implementation of the logout functionality within OliveTin's API layer. The Logout function in service/internal/api/api.go was missing the critical call to revoke the server-side session. Without this revocation step, the session storage (including OAuth2 registered states) retained valid session entries indefinitely until their natural expiration.
Attack Vector
The attack is network-based and requires low privileges to execute. An attacker must first obtain a valid session cookie through methods such as session sniffing on unencrypted networks, XSS exploitation, or access to stored browser data. Once the session cookie is captured, the attacker can replay it against the OliveTin server to gain authenticated access. The vulnerability is particularly concerning because the default session expiry of approximately one year provides a lengthy window for exploitation, even if the legitimate user has logged out thinking their session is terminated.
// Patch adding session revocation to Logout function
// Source: https://github.com/OliveTin/OliveTin/commit/d6a0abc3755d43107be1939567c52953bcbec3d5
func (api *oliveTinAPI) Logout(ctx ctx.Context, req *connect.Request[apiv1.LogoutRequest]) (*connect.Response[apiv1.LogoutResponse], error) {
user := auth.UserFromApiCall(ctx, req, api.cfg)
+ auth.RevokeSessionForProvider(api.cfg, user.Provider, user.SID)
+
log.WithFields(log.Fields{
"username": user.Username,
"provider": user.Provider,
// New RevokeSession method added to OAuth2Handler
// Source: https://github.com/OliveTin/OliveTin/commit/d6a0abc3755d43107be1939567c52953bcbec3d5
return user, true
}
+func (h *OAuth2Handler) RevokeSession(sid string) {
+ h.mu.Lock()
+ defer h.mu.Unlock()
+ delete(h.registeredStates, sid)
+}
+
func (h *OAuth2Handler) CheckUserFromOAuth2Cookie(context *authTypes.AuthCheckingContext) *authTypes.AuthenticatedUser {
cookie, err := context.Request.Cookie("olivetin-sid-oauth")
if err != nil || cookie.Value == "" {
Detection Methods for CVE-2026-30224
Indicators of Compromise
- Authentication activity from session identifiers that were previously associated with logged-out users
- Multiple concurrent sessions using identical session cookies from different IP addresses or user agents
- Session cookie reuse patterns where the same olivetin-sid-oauth cookie appears in requests after a logout event was logged
Detection Strategies
- Monitor OliveTin application logs for logout events followed by subsequent authenticated requests using the same session identifier
- Implement network monitoring to detect session cookie replay attacks, particularly from IP addresses or geographies inconsistent with the original user
- Review session storage for entries that should have been invalidated but remain active
Monitoring Recommendations
- Enable detailed logging for authentication and session management events in OliveTin
- Configure alerting for authentication attempts using session cookies that were associated with recent logout events
- Monitor for unusual patterns in shell command execution that may indicate unauthorized access through session hijacking
How to Mitigate CVE-2026-30224
Immediate Actions Required
- Upgrade OliveTin to version 3000.11.1 or later immediately
- Force logout all active sessions and require re-authentication after upgrading
- Review access logs for any suspicious post-logout authentication activity
- Consider temporarily disabling external access to OliveTin instances until patching is complete
Patch Information
The vulnerability has been patched in OliveTin version 3000.11.1. The fix adds proper server-side session revocation when users log out by calling auth.RevokeSessionForProvider() in the Logout API handler and implementing a new RevokeSession() method in the OAuth2Handler that properly removes session entries from the registered states map. Users should upgrade to this version by downloading the release from the OliveTin GitHub Releases page. Additional details are available in the GitHub Security Advisory GHSA-gq2m-77hf-vwgh.
Workarounds
- Reduce session expiry time from the default of approximately 1 year to a much shorter duration
- Implement additional network-level access controls to restrict OliveTin access to trusted networks only
- Use HTTPS exclusively to reduce the risk of session cookie interception
- Consider implementing IP-based session binding as an additional layer of protection
# Configuration example
# After upgrading to version 3000.11.1, restart the OliveTin service
systemctl restart olivetin
# Verify the running version
olivetin --version
# Expected output: 3000.11.1 or higher
# Review authentication logs for suspicious activity
grep -i "logout\|auth" /var/log/olivetin/olivetin.log
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
