Session Management Flaw in Katalyst Koi Framework
CVE-2026-44511

7.4HIGH

Key Information:

Vendor: Katalyst
Status: Koi
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-44511?

The Katalyst Koi framework, designed for enhancing Rails admin functionalities, has a significant flaw in its session management system. Specifically, versions prior to 4.20.0 and 5.6.0 do not properly invalidate admin session cookies upon user logout. This oversight could allow an attacker who possesses a valid admin session cookie to maintain access to sensitive admin features, bypassing security measures until the cookie naturally expires or session secrets are renewed. This vulnerability exposes the system to potential unauthorized access and requires immediate attention from affected users.

Affected Version(s)

koi < 4.20.0 < 4.20.0

koi >= 5.0.0 <= 5.6.0 <= 5.0.0 5.6.0

References

https://github.com/katalyst/koi/security/advisories/GHSA-...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44511 Data

JSON