CVE-2026-31817
published 2026-03-10CVE-2026-31817: OliveTin gives access to predefined shell commands from a web interface. Prior to 3000.11.2, when the saveLogs feature is enabled, OliveTin persists execution…
PriorityP261high8.5CVSS 3.1
AVNACLPRLUINSCCNIHAL
EPSS
0.71%
49.0th percentile
OliveTin gives access to predefined shell commands from a web interface. Prior to 3000.11.2, when the saveLogs feature is enabled, OliveTin persists execution log entries to disk. The filename used for these log files is constructed in part from the user-supplied UniqueTrackingId field in the StartAction API request. This value is not validated or sanitized before being used in a file path, allowing an attacker to use directory traversal sequences (e.g., ../../../) to write files to arbitrary locations on the filesystem. This vulnerability is fixed in 3000.11.2.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | olivetin_olivetin | >= 0 < 0.0.0-20260309102040-b03af0e2eca3 | 0.0.0-20260309102040-b03af0e2eca3 |
| olivetin | olivetin | < 3000.11.2 | 3000.11.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor StartAction API requests containing directory traversal sequences (e.g., '../') in the UniqueTrackingId field ↗
- →Alert on unexpected file creation outside the designated OliveTin log directory, particularly when the saveLogs feature is enabled ↗
- ·The path traversal vulnerability is only exploitable when the saveLogs feature is explicitly enabled in OliveTin configuration ↗
- ·Affected package is github.com/olivetin/olivetin; versions prior to 3000.11.2 are vulnerable ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
OliveTin's unsafe parsing of UniqueTrackingId can be used to write files in github.com/OliveTin/OliveTin
osv·2026-03-12
CVE-2026-31817 OliveTin's unsafe parsing of UniqueTrackingId can be used to write files in github.com/OliveTin/OliveTin
OliveTin's unsafe parsing of UniqueTrackingId can be used to write files in github.com/OliveTin/OliveTin
OliveTin's unsafe parsing of UniqueTrackingId can be used to write files in github.com/OliveTin/OliveTin
OSV
OliveTin's unsafe parsing of UniqueTrackingId can be used to write files
osv·2026-03-11
CVE-2026-31817 [HIGH] OliveTin's unsafe parsing of UniqueTrackingId can be used to write files
OliveTin's unsafe parsing of UniqueTrackingId can be used to write files
When the `saveLogs` feature is enabled, OliveTin persists execution log entries to disk. The filename used for these log files is constructed in part from the user-supplied `UniqueTrackingId` field in the `StartAction` API request. This value is not validated or sanitized before being used in a file path, allowing an attacker to use directory traversal sequences (e.g., `../../../`) to write files to arbitrary locations on the filesystem.
### Affected Code
**Entry point — `service/internal/api/api.go` (line 130):**
The `UniqueTrackingId` from the API request is passed directly to the executor without validation:
```go
execReq := executor.ExecutionRequest{
Binding: pair,
TrackingID: req.Msg.UniqueTrackingId, // user
GHSA
OliveTin's unsafe parsing of UniqueTrackingId can be used to write files
ghsa·2026-03-11
CVE-2026-31817 [HIGH] CWE-22 OliveTin's unsafe parsing of UniqueTrackingId can be used to write files
OliveTin's unsafe parsing of UniqueTrackingId can be used to write files
When the `saveLogs` feature is enabled, OliveTin persists execution log entries to disk. The filename used for these log files is constructed in part from the user-supplied `UniqueTrackingId` field in the `StartAction` API request. This value is not validated or sanitized before being used in a file path, allowing an attacker to use directory traversal sequences (e.g., `../../../`) to write files to arbitrary locations on the filesystem.
### Affected Code
**Entry point — `service/internal/api/api.go` (line 130):**
The `UniqueTrackingId` from the API request is passed directly to the executor without validation:
```go
execReq := executor.ExecutionRequest{
Binding: pair,
TrackingID: req.Msg.UniqueTrackingId, // user
No detection rules found.
No public exploits indexed.
2026-03-10
Published