Description
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authentication context confusion vulnerability in RestartAction allows a low‑privileged authenticated user to execute actions they are not permitted to run. RestartAction constructs a new internal connect.Request without preserving the original caller’s authentication headers or cookies. When this synthetic request is passed to StartAction, the authentication resolver falls back to the guest user. If the guest account has broader permissions than the authenticated caller, this results in privilege escalation and unauthorized command execution. This vulnerability allows a low‑privileged authenticated user to bypass ACL restrictions and execute arbitrary configured shell actions. This issue has been patched in version 3000.11.1.
Published: 2026-03-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch
AI Analysis

Impact

OliveTin’s RestartAction feature incorrectly builds a synthetic request that loses the original authenticated user’s headers and cookies. When this request is supplied to StartAction, the authentication resolver defaults to the guest account. If the guest has broader permissions than the requesting user, the attacker can bypass ACL restrictions and execute hardened shell commands via the web interface. This flaw enables a low‑privileged but authenticated user to run arbitrary configured actions that they are normally forbidden from performing.

Affected Systems

OliveTin OliveTin is the affected product. Any installation older than version 3000.11.1 is vulnerable. The update to version 3000.11.1 includes the fix; earlier releases remain at risk.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity. The EPSS score of less than 1% signifies low likelihood of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Attackers must first authenticate to the OliveTin web interface and then invoke a RestartAction for an action they lack rights to. Because the synthetic request is treated as a guest session, the attacker enjoys elevated privileges defined for the guest account. No advanced prerequisites beyond a legitimate user login or remote access to the web interface are required.

Generated by OpenCVE AI on April 16, 2026 at 11:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OliveTin to version 3000.11.1 or later to apply the vendor patch
  • Reconfigure ACL settings to ensure the guest user has no broader permissions than authenticated users or disable guest access entirely
  • Disable or remove the RestartAction feature if it is not needed for operation

Generated by OpenCVE AI on April 16, 2026 at 11:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p443-p7w5-2f7f OliveTin's RestartAction always runs actions as guest
History

Thu, 12 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:olivetin:olivetin:*:*:*:*:*:*:*:*

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Olivetin
Olivetin olivetin
Vendors & Products Olivetin
Olivetin olivetin

Fri, 06 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authentication context confusion vulnerability in RestartAction allows a low‑privileged authenticated user to execute actions they are not permitted to run. RestartAction constructs a new internal connect.Request without preserving the original caller’s authentication headers or cookies. When this synthetic request is passed to StartAction, the authentication resolver falls back to the guest user. If the guest account has broader permissions than the authenticated caller, this results in privilege escalation and unauthorized command execution. This vulnerability allows a low‑privileged authenticated user to bypass ACL restrictions and execute arbitrary configured shell actions. This issue has been patched in version 3000.11.1.
Title OliveTin: RestartAction always runs actions as guest
Weaknesses CWE-250
CWE-441
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Olivetin Olivetin
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:54:29.579Z

Reserved: 2026-03-04T17:23:59.797Z

Link: CVE-2026-30225

cve-icon Vulnrichment

Updated: 2026-03-09T20:51:34.343Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T21:16:16.443

Modified: 2026-03-12T15:46:39.533

Link: CVE-2026-30225

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:15:27Z

Weaknesses