CVE-2026-27626
published 2026-02-25CVE-2026-27626: OliveTin gives access to predefined shell commands from a web interface. In versions up to and including 3000.10.0, OliveTin's shell mode safety check…
PriorityP270critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.45%
35.8th percentile
OliveTin gives access to predefined shell commands from a web interface. In versions up to and including 3000.10.0, OliveTin's shell mode safety check (`checkShellArgumentSafety`) blocks several dangerous argument types but not `password`. A user supplying a `password`-typed argument can inject shell metacharacters that execute arbitrary OS commands. A second independent vector allows unauthenticated RCE via webhook-extracted JSON values that skip type safety checks entirely before reaching `sh -c`. When exploiting vector 1, any authenticated user (registration enabled by default, `authType: none` by default) can execute arbitrary OS commands on the OliveTin host with the permissions of the OliveTin process. When exploiting vector 2, an unauthenticated attacker can achieve the same if the instance receives webhooks from external sources, which is a primary OliveTin use case. When an attacker exploits both vectors, this results in unauthenticated RCE on any OliveTin instance using Shell mode with webhook-triggered actions. As of time of publication, a patched version is not available.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | olivetin_olivetin | >= 0 < 0.0.0-20260222101908-4bbd2eab1532 | 0.0.0-20260222101908-4bbd2eab1532 |
| olivetin | olivetin | <= 3000.10.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for shell metacharacters in `password`-typed arguments submitted to OliveTin's web interface, as the `checkShellArgumentSafety` function does not sanitize this argument type, enabling OS command injection. ↗
- →Monitor for unauthenticated inbound webhook requests to OliveTin instances that contain JSON payloads with shell metacharacters; these values bypass type safety checks and are passed directly to `sh -c`. ↗
- →Flag OliveTin deployments running with `authType: none` (the default), as any user — including unauthenticated ones via webhooks — can exploit this vulnerability to execute arbitrary OS commands. ↗
- →Identify OliveTin instances at or below version 3000.10.0 as vulnerable; no patched version was available at time of publication. ↗
- ·OliveTin defaults to `authType: none`, meaning no authentication is required by default, which expands the attack surface to all users including unauthenticated ones. ↗
- ·Webhook-triggered actions represent a primary OliveTin use case, meaning a large portion of deployments may be exposed to the unauthenticated RCE vector (vector 2) by design. ↗
- ·No patched version is available as of time of publication; mitigations must rely on configuration hardening (e.g., disabling shell mode, restricting webhook access, enabling authentication). ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
OliveTin: OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks in github.com/OliveTin/OliveTin
osv·2026-02-25
CVE-2026-27626 OliveTin: OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks in github.com/OliveTin/OliveTin
OliveTin: OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks in github.com/OliveTin/OliveTin
OliveTin: OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks in github.com/OliveTin/OliveTin
OSV
OliveTin: OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks
osv·2026-02-25
CVE-2026-27626 [CRITICAL] OliveTin: OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks
OliveTin: OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks
### Summary
OliveTin's shell mode safety check (`checkShellArgumentSafety`) blocks several dangerous argument types but not `password`. A user supplying a `password`-typed argument can inject shell metacharacters that execute arbitrary OS commands. A second independent vector allows unauthenticated RCE via webhook-extracted JSON values that skip type safety checks entirely before reaching `sh -c`.
### Details
**Vector 1 — `password` type bypasses shell safety check (PR:L)**
`service/internal/executor/arguments.go` has two gaps:
```go
// Line 198-199 — TypeSafetyCheck returns nil (no error) for password type
case "password":
return nil // accepts ANY string including ;
GHSA
OliveTin: OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks
ghsa·2026-02-25
CVE-2026-27626 [CRITICAL] CWE-78 OliveTin: OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks
OliveTin: OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks
### Summary
OliveTin's shell mode safety check (`checkShellArgumentSafety`) blocks several dangerous argument types but not `password`. A user supplying a `password`-typed argument can inject shell metacharacters that execute arbitrary OS commands. A second independent vector allows unauthenticated RCE via webhook-extracted JSON values that skip type safety checks entirely before reaching `sh -c`.
### Details
**Vector 1 — `password` type bypasses shell safety check (PR:L)**
`service/internal/executor/arguments.go` has two gaps:
```go
// Line 198-199 — TypeSafetyCheck returns nil (no error) for password type
case "password":
return nil // accepts ANY string including ;
No detection rules found.
No public exploits indexed.
2026-02-25
Published