Skip to main content

OliveTin EUVD-2026-36907

| CVE-2026-48709 LOW
Missing Authorization (CWE-862)
2026-06-15 GitHub_M
Authentication Bypass Oracle Olivetin
3.7
CVSS 3.1 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
3.7 LOW

Network-reachable endpoint requiring no attacker privileges, but AC:H because exploitation requires the non-default AuthRequireGuestsToLogin setting; confidentiality limited to action metadata only.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 15, 2026 - 22:56 vuln.today
Analysis Generated
Jun 15, 2026 - 22:56 vuln.today
Patch available
Jun 15, 2026 - 22:32 EUVD

DescriptionCVE.org

OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, The ValidateArgumentType RPC endpoint in service/internal/api/api.go does not perform any authentication or authorization checks. Unlike all other data-returning API endpoints, it does not call auth.UserFromApiCall or checkDashboardAccess. When AuthRequireGuestsToLogin is enabled (the security-conscious configuration), this endpoint remains accessible to unauthenticated users and can be used as an oracle to enumerate valid action binding IDs and their argument configurations. This issue has been fixed in version 3000.13.0.

AnalysisAI

OliveTin's ValidateArgumentType RPC endpoint exposes action binding IDs and argument configurations to unauthenticated network requesters in all versions prior to 3000.13.0, functioning as an enumeration oracle. The bypass is particularly counterintuitive because it manifests specifically when AuthRequireGuestsToLogin is enabled - the hardened security posture - meaning operators who consciously locked down their instance are the ones exposed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify OliveTin instance with AuthRequireGuestsToLogin enabled
Delivery
Send unauthenticated HTTP requests to ValidateArgumentType endpoint
Exploit
Enumerate valid action binding IDs via oracle responses
Execution
Extract argument type schemas for each binding
Persist
Map full configured shell command surface
Impact
Target sensitive commands in follow-on attack
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the OliveTin configuration has AuthRequireGuestsToLogin explicitly set to true - the description labels this the 'security-conscious configuration,' implying it is not the default state. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 3.7 (Low) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N correctly characterizes this as a low-priority finding. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker with HTTP access to an OliveTin instance configured with AuthRequireGuestsToLogin enabled sends iterative requests to the ValidateArgumentType RPC endpoint, probing candidate action binding IDs. The endpoint returns validation responses that confirm whether an ID is valid and reveal the associated argument type schema, allowing the attacker to reconstruct the full set of configured shell commands and their input parameters without any credentials. …
Remediation Upgrade OliveTin to version 3000.13.0, which resolves this issue via commit a3865704c854061452a4ab5f6d95de3312698ccd as documented in the release at https://github.com/OliveTin/OliveTin/releases/tag/3000.13.0. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48708 HIGH
7.5 Jun 15

Concurrent action execution in OliveTin versions 3000.0.0 and prior triggers a race condition in a shared text/template.

Share

EUVD-2026-36907 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy