Description
OliveTin gives access to predefined shell commands from a web interface. In versions up to and including 3000.10.0, OliveTin's shell mode safety check (`checkShellArgumentSafety`) blocks several dangerous argument types but not `password`. A user supplying a `password`-typed argument can inject shell metacharacters that execute arbitrary OS commands. A second independent vector allows unauthenticated RCE via webhook-extracted JSON values that skip type safety checks entirely before reaching `sh -c`. When exploiting vector 1, any authenticated user (registration enabled by default, `authType: none` by default) can execute arbitrary OS commands on the OliveTin host with the permissions of the OliveTin process. When exploiting vector 2, an unauthenticated attacker can achieve the same if the instance receives webhooks from external sources, which is a primary OliveTin use case. When an attacker exploits both vectors, this results in unauthenticated RCE on any OliveTin instance using Shell mode with webhook-triggered actions. As of time of publication, a patched version is not available.
Published: 2026-02-25
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Monitor
AI Analysis

Impact

OliveTin exposes predefined shell commands through a web interface. In versions up to 3000.10.0, the safety check that blocks unsafe argument types fails to protect arguments of type `password`. An attacker can supply a `password` argument that contains shell metacharacters, leading to arbitrary OS command execution. The vulnerability also allows a second independent vector via webhook‑extracted JSON values that bypass type safety checks before being passed to the shell. Together, these vectors enable Remote Code Execution with the privileges of the OliveTin process. The known weakness is CWE‑78.

Affected Systems

OliveTin versions up to and including 3000.10.0 are affected. No patched version is available at the time of publication, and the application is commonly deployed as a local service with default authentication settings that can allow users to submit webhook calls or shell commands.

Risk and Exploitability

The vulnerability carries a CVSS score of 10.0 and an EPSS score of less than 1 %, indicating low current exploitation likelihood but very high impact if exploited. Since the issue is not listed in CISA’s KEV catalog, there is no known widespread active exploitation. An attacker could trigger the vulnerability remotely over HTTP, either by sending a crafted shell command request or by posting a webhook payload. Authenticated users (or all users when authentication is disabled) can perform the attack, and unauthenticated users can succeed if the instance accepts external webhooks. The high severity and ability to achieve full RCE warrant immediate mitigation.

Generated by OpenCVE AI on April 18, 2026 at 10:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict network access to the OliveTin API and UI to trusted IP ranges or within a protected network segment.
  • Disable or tightly control webhook endpoints so that only specially authorized services can send payloads, or block webhooks entirely if they are not required.
  • Run OliveTin under a dedicated low‑privilege user account so that any executed commands run with minimal system permissions.

Generated by OpenCVE AI on April 18, 2026 at 10:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-49gm-hh7w-wfvf OliveTin: OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks
History

Fri, 27 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:olivetin:olivetin:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Olivetin
Olivetin olivetin
Vendors & Products Olivetin
Olivetin olivetin

Wed, 25 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Description OliveTin gives access to predefined shell commands from a web interface. In versions up to and including 3000.10.0, OliveTin's shell mode safety check (`checkShellArgumentSafety`) blocks several dangerous argument types but not `password`. A user supplying a `password`-typed argument can inject shell metacharacters that execute arbitrary OS commands. A second independent vector allows unauthenticated RCE via webhook-extracted JSON values that skip type safety checks entirely before reaching `sh -c`. When exploiting vector 1, any authenticated user (registration enabled by default, `authType: none` by default) can execute arbitrary OS commands on the OliveTin host with the permissions of the OliveTin process. When exploiting vector 2, an unauthenticated attacker can achieve the same if the instance receives webhooks from external sources, which is a primary OliveTin use case. When an attacker exploits both vectors, this results in unauthenticated RCE on any OliveTin instance using Shell mode with webhook-triggered actions. As of time of publication, a patched version is not available.
Title OliveTin vulnerable to OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Olivetin Olivetin
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T17:07:28.612Z

Reserved: 2026-02-20T22:02:30.027Z

Link: CVE-2026-27626

cve-icon Vulnrichment

Updated: 2026-02-27T17:06:58.452Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T03:16:06.347

Modified: 2026-02-27T18:58:46.380

Link: CVE-2026-27626

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:00:05Z

Weaknesses