CVE-2026-30233

Medium CVSS: 6.5

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution (exec) may be correctly denied, the backend does not enforce IsAllowedView() when constructing dashboard and action binding responses. As a result, restricted users can retrieve action titles, IDs, icons, and argument metadata. This issue has been patched in version 3000.11.1.

Vendor

Olivetin

Product

Olivetin

CWE

CWE-200

Yayın Tarihi

2026-03-06 21:16:17

Güncelleme

2026-03-12 15:19:08

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-200 Olivetin MEDIUM Olivetin 2026

Referanslar

https://github.com/OliveTin/OliveTin/commit/d7962710e7c46f6bdda4188b5b0cdbde4be665a0 https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1 https://github.com/OliveTin/OliveTin/security/advisories/GHSA-jf73-858c-54pg

Benzer Kayıtlar

High

CVE-2026-32102

OliveTin gives access to predefined shell commands from a web interface. In 3000.10.2 and earlier, OliveTin’s live Event…

High

CVE-2026-31817

OliveTin gives access to predefined shell commands from a web interface. Prior to 3000.11.2, when the saveLogs feature i…

High

CVE-2026-30223

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, when JWT authentica…

Medium

CVE-2026-30224

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not r…

Medium

CVE-2026-30225

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authentication c…

High

CVE-2026-28789

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated…