Skip to main content

OliveTin EUVD-2026-36906

| CVE-2026-48708 HIGH
Race Condition (CWE-362)
2026-06-15 GitHub_M
Race Condition Information Disclosure Olivetin
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

Network-reachable web UI requires a low-privileged authenticated account (PR:L, AV:N); race timing makes exploitation non-deterministic (AC:H); cross-user command execution yields full C/I/A impact.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 15, 2026 - 22:32 EUVD
Source Code Evidence Fetched
Jun 15, 2026 - 21:52 vuln.today
Analysis Generated
Jun 15, 2026 - 21:52 vuln.today

DescriptionCVE.org

OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, the template engine uses a single shared text/template.Template instance (tpl package-level variable in service/internal/tpl/templates.go) across all goroutines. Every action execution calls tpl.Parse(source) followed by t.Execute() on this shared instance with no synchronization. When two or more actions execute concurrently (which is the normal case - each ExecRequest spawns a goroutine), a race condition occurs: one goroutine's Parse overwrites the template tree while another goroutine is calling Execute, causing cross-user command contamination, Go runtime panic, and incorrect command execution. This issue has been resolved in version 3000.13.0.

AnalysisAI

Concurrent action execution in OliveTin versions 3000.0.0 and prior triggers a race condition in a shared text/template.Template instance, enabling cross-user command contamination, runtime panics, and execution of unintended commands. Authenticated users of the OliveTin web interface can exploit this by issuing parallel ExecRequests; no public exploit is identified at time of analysis, but the bug manifests during normal multi-user operation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to OliveTin web UI
Delivery
Identify target privileged action
Exploit
Spam concurrent ExecRequests
Execution
Win Parse/Execute race
Persist
Privileged template executed under attacker context
Impact
Arbitrary command runs as OliveTin process
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires an authenticated account on the OliveTin web interface (PR:L) and at least two action executions happening concurrently - the normal operating mode whenever more than one user, or one user with parallel browser tabs, triggers actions. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS:3.1 vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H scores 7.5 (High) and matches the threat model: an authenticated low-privileged web user, network-reachable, with high attack complexity because exploitation depends on goroutine scheduling. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario Two authenticated OliveTin users - or one user triggering two actions in rapid succession - submit ExecRequests that race inside the shared template parser; the second Parse overwrites the first action's template tree just before Execute runs, causing user A's request to execute user B's parameterized shell command (or to panic the goroutine). An attacker with a low-privilege account could repeatedly invoke a benign action while a privileged user is known to be active, hoping to have their template tree adopted by the privileged user's Execute path and run an elevated command. …
Remediation Vendor-released patch: upgrade to OliveTin 3000.13.0 or later (commit d74da9314005954dd49fa20dabf272247bc76519, advisory GHSA-7fq5-7wr8-rjwj at https://github.com/OliveTin/OliveTin/security/advisories/GHSA-7fq5-7wr8-rjwj); container users should pull ghcr.io/olivetin/olivetin:3000.13.0 or docker.io/jamesread/olivetin:3000.13.0. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all OliveTin deployments and confirm versions in use. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48709 LOW
3.7 Jun 15

OliveTin's ValidateArgumentType RPC endpoint exposes action binding IDs and argument configurations to unauthenticated n

Share

EUVD-2026-36906 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy