Description
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution (exec) may be correctly denied, the backend does not enforce IsAllowedView() when constructing dashboard and action binding responses. As a result, restricted users can retrieve action titles, IDs, icons, and argument metadata. This issue has been patched in version 3000.11.1.
Published: 2026-03-06
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure – Unauthorized users can enumerate internal action metadata
Action: Patch
AI Analysis

Impact

OliveTin exposes predefined shell commands through a web interface, but an authorization flaw allows authenticated users who have the view permission disabled to still request dashboard and API endpoints that return action metadata such as titles, identifiers, icons, and argument details. The flaw does not grant execution rights, yet the leaked information provides insight into available commands and input requirements, potentially aiding attackers in crafting targeted exploits. This issue falls under the CWE-200 and CWE-862 categories, representing an information disclosure and missing access control vulnerability.

Affected Systems

All installations of OliveTin prior to 3000.11.1 are affected, regardless of vendor or deployment environment. The flaw is present in the OliveTin:OliveTin product as documented in the official disclosure, and the patch was released with version 3000.11.1.

Risk and Exploitability

The CVSS base score of 6.5 indicates moderate severity, while an EPSS score of less than 1% shows a very low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog, suggesting limited known exploitation. Attackers would need authenticated access to the web interface and would exploit the missing view permission check to enumerate action bindings; the exploitation path is straightforward and does not require additional privileges beyond an existing authenticated session.

Generated by OpenCVE AI on April 17, 2026 at 12:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OliveTin to version 3000.11.1 or later to apply the vendor patch that enforces view checks for dashboard and API responses
  • Re‑evaluate user permission sets to ensure that accounts lacking view rights are not assigned any configuration viewable actions, and remove or adjust such permissions as necessary
  • Implement network segmentation or firewall rules to restrict access to the OliveTin web interface to trusted internal hosts only, and monitor for anomalous API enumeration attempts

Generated by OpenCVE AI on April 17, 2026 at 12:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jf73-858c-54pg OliveTin doesn't check view permission when returning dashboards
History

Thu, 12 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:olivetin:olivetin:*:*:*:*:*:*:*:*

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Olivetin
Olivetin olivetin
Vendors & Products Olivetin
Olivetin olivetin

Fri, 06 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution (exec) may be correctly denied, the backend does not enforce IsAllowedView() when constructing dashboard and action binding responses. As a result, restricted users can retrieve action titles, IDs, icons, and argument metadata. This issue has been patched in version 3000.11.1.
Title OliveTin: View permission not being checked when returning dashboards
Weaknesses CWE-200
CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Olivetin Olivetin
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:54:29.334Z

Reserved: 2026-03-04T17:23:59.798Z

Link: CVE-2026-30233

cve-icon Vulnrichment

Updated: 2026-03-09T20:47:38.365Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T21:16:17.370

Modified: 2026-03-12T15:19:08.037

Link: CVE-2026-30233

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:30:06Z

Weaknesses