Olivetin
CVE-2026-30233
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution (exec) may be correctly denied, the backend does not enforce IsAllowedView() when constructing dashboard and action binding responses. As a result, restricted users can retrieve action titles, IDs, icons, and argument metadata. This issue has been patched in version 3000.11.1.
AnalysisAI
OliveTin prior to version 3000.11.1 fails to enforce view permission checks on dashboard and API endpoints, allowing authenticated users to enumerate action bindings, titles, IDs, icons, and argument metadata despite having restricted access. While command execution remains properly denied, this information disclosure enables attackers to map available actions and their configurations. Public exploit code exists for this medium-severity vulnerability, and a patch is available.
Technical ContextAI
Classified as CWE-200 (Information Exposure). Affects the dashboard and API component of Olivetin. OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution (exec) may be correctly denied, the backend does not enforce IsAllowedView() when constructing dashboard and action binding responses. As a result, restricted users can retrieve action titles, IDs, icons, and argumen
RemediationAI
A vendor patch is available — apply it immediately. Fixed in version 3000.11.1.. Restrict network access to the affected service where possible.
OS command injection in OliveTin web shell interface through version 3000.10.0. OliveTin provides web-based access to pr
OliveTin gives access to predefined shell commands from a web interface. [CVSS 8.8 HIGH]
Arbitrary file write in OliveTin prior to 3000.11.2 allows authenticated attackers to write files to arbitrary filesyste
OliveTin versions prior to 3000.10.2 are vulnerable to unauthenticated denial of service through the PasswordHash API en
OliveTin versions prior to 3000.10.3 are vulnerable to unauthenticated denial-of-service attacks when OAuth2 authenticat
OliveTin versions prior to 3000.11.0 suffer from broken access control allowing unauthenticated users to invoke the Kill
OS Command Injection in Olivetin 2025.4.22 Custom Themes via the ParseRequestURI function in service/internal/executor/a
OliveTin prior to version 3000.11.1 fails to invalidate server-side sessions upon user logout, allowing attackers with a
OliveTin versions prior to 3000.11.1 contain an authentication bypass in RestartAction that allows authenticated users t
Concurrent action execution in OliveTin versions 3000.0.0 and prior triggers a race condition in a shared text/template.
### Summary OliveTin’s live EventStream broadcasts execution events and action output to authenticated dashboard subs
OliveTin's ValidateArgumentType RPC endpoint exposes action binding IDs and argument configurations to unauthenticated n
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
GHSA-jf73-858c-54pg