Description
OliveTin gives access to predefined shell commands from a web interface. In 3000.10.2 and earlier, OliveTin’s live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing per-action authorization. A low-privileged authenticated user can receive output from actions they are not allowed to view, resulting in broken access control and sensitive information disclosure.
Published: 2026-03-11
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Disclosure
Action: Patch Immediately
AI Analysis

Impact

OliveTin’s EventStream feature broadcasts execution events and action output to all authenticated dashboard subscribers without enforcing per-action authorization. This flaw allows a low‑privileged authenticated user to receive the output of commands they are not permitted to view, leading to sensitive information disclosure. The weakness corresponds to CWE‑284 (Improper Authorization) and CWE‑863 (Missing Authorization for a Mechanism).

Affected Systems

The vulnerability affects OliveTin 3000.10.2 and earlier. All deployments of OliveTin that use the default EventStream setting and have multiple authenticated users are potentially impacted. The CNA identifies OliveTin:OliveTin as the affected vendor/product.

Risk and Exploitability

The CVSS score is 7.1, indicating a high severity. The EPSS score is below 1%, suggesting a low probability of exploitation in the near term, and the vulnerability is not listed in CISA’s KEV catalog. However, because the exploit requires only normal authentication to the dashboard, an attacker who gains such credentials can easily obtain unauthorized command output. The overall risk is moderate-high for environments with sensitive data handled by OliveTin commands.

Generated by OpenCVE AI on March 17, 2026 at 17:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OliveTin to version 3000.10.3 or later, where the EventStream authorization has been fixed.
  • If an upgrade is delayed, reconfigure or disable the EventStream feature so that only authorized users receive command output.
  • Verify that the dashboard’s per‑action authorization settings correctly restrict output visibility for each authenticated user.

Generated by OpenCVE AI on March 17, 2026 at 17:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-228v-wc5r-j8m7 OliveTin Vulnerable to Unauthorized Action Output Disclosure via EventStream
History

Tue, 17 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:olivetin:olivetin:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Olivetin
Olivetin olivetin
Vendors & Products Olivetin
Olivetin olivetin

Wed, 11 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description OliveTin gives access to predefined shell commands from a web interface. In 3000.10.2 and earlier, OliveTin’s live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing per-action authorization. A low-privileged authenticated user can receive output from actions they are not allowed to view, resulting in broken access control and sensitive information disclosure.
Title OliveTin Unauthorized Action Output Disclosure via EventStream
Weaknesses CWE-284
CWE-863
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Olivetin Olivetin
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T19:47:37.664Z

Reserved: 2026-03-10T22:02:38.854Z

Link: CVE-2026-32102

cve-icon Vulnrichment

Updated: 2026-03-12T19:47:34.884Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T21:16:16.167

Modified: 2026-03-17T15:34:48.810

Link: CVE-2026-32102

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:37:22Z

Weaknesses