CVE-2026-53541
published 2026-06-24CVE-2026-53541: OliveTin has Unvalidated `ot_`-prefixed Arguments that Bypass Input Filtering ### Description The `filterToDefinedArgumentsOnly` function in the executor is…
medium
OliveTin has Unvalidated `ot_`-prefixed Arguments that Bypass Input Filtering
### Description
The `filterToDefinedArgumentsOnly` function in the executor is intended to discard any arguments not explicitly defined in the action's configuration. However, a special case allows any argument whose name starts with `ot_` to bypass this filter. While two system arguments (`ot_executionTrackingId` and `ot_username`) are injected by OliveTin and overridden, all other `ot_`-prefixed arguments supplied by the user pass through unmodified.
These bypassed arguments are:
1. **Not type-checked** — the validation loop only iterates over the action's defined arguments, so `ot_`-prefixed arguments skip all type safety checks entirely.
2. **Set as environment variables** — via `buildEnv()`, with completely unvalidated values, and passed to the executed command.
3. **Included in the template context** — available as `.Arguments.ot_*` in template rendering.
### Affected Code
**Filter bypass — `service/internal/executor/executor.go` (lines 728–731):**
```go
func keepArgument(name string, definedNames map[string]struct{}) bool {
_, ok := definedNames[name]
return ok || strings.HasPrefix(name, "ot_")
}
```
**System args only override two keys — `service/internal/executor/executor.go` (lines 742–745):**
```go
func injectSystemArgs(req *ExecutionRequest) {
req.Arguments["ot_executionTrackingId"] = req.TrackingID
req.Arguments["ot_username"] = req.AuthenticatedUser.Username
}
```
Any other `ot_`-prefixed argument (e.g., `ot_malicious`) survives both functions.
**Unvalidated values become environment variables — `service/internal/executor/executor.go` (lines 867–882):**
```go
func buildEnv(args map[string]string) []string {
ret := append(os.Environ(), "OLIVETIN=1")
for k, v := range args {
varName := fmt.Sprintf("%v", strings.TrimSpace(strings.ToUpper(k)))
if varName == "" { continue }
ret = append(ret, fmt.Sprintf("%v=%v", varName, v))
}
return ret
}
```
The value `v` is never vAffected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | olivetin_olivetin | >= 0 < 0.0.0-20260531214440-ebffd9f040f7 | 0.0.0-20260531214440-ebffd9f040f7 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-24
Published