cbcvebase.
CVE-2026-53541
published 2026-06-24

CVE-2026-53541: OliveTin has Unvalidated `ot_`-prefixed Arguments that Bypass Input Filtering ### Description The `filterToDefinedArgumentsOnly` function in the executor is…

medium
OliveTin has Unvalidated `ot_`-prefixed Arguments that Bypass Input Filtering

### Description

The `filterToDefinedArgumentsOnly` function in the executor is intended to discard any arguments not explicitly defined in the action's configuration. However, a special case allows any argument whose name starts with `ot_` to bypass this filter. While two system arguments (`ot_executionTrackingId` and `ot_username`) are injected by OliveTin and overridden, all other `ot_`-prefixed arguments supplied by the user pass through unmodified.

These bypassed arguments are:

1. **Not type-checked** — the validation loop only iterates over the action's defined arguments, so `ot_`-prefixed arguments skip all type safety checks entirely.
2. **Set as environment variables** — via `buildEnv()`, with completely unvalidated values, and passed to the executed command.
3. **Included in the template context** — available as `.Arguments.ot_*` in template rendering.

### Affected Code

**Filter bypass — `service/internal/executor/executor.go` (lines 728–731):**

```go
func keepArgument(name string, definedNames map[string]struct{}) bool {
_, ok := definedNames[name]
return ok || strings.HasPrefix(name, "ot_")
}
```

**System args only override two keys — `service/internal/executor/executor.go` (lines 742–745):**

```go
func injectSystemArgs(req *ExecutionRequest) {
req.Arguments["ot_executionTrackingId"] = req.TrackingID
req.Arguments["ot_username"] = req.AuthenticatedUser.Username
}
```

Any other `ot_`-prefixed argument (e.g., `ot_malicious`) survives both functions.

**Unvalidated values become environment variables — `service/internal/executor/executor.go` (lines 867–882):**

```go
func buildEnv(args map[string]string) []string {
ret := append(os.Environ(), "OLIVETIN=1")
for k, v := range args {
varName := fmt.Sprintf("%v", strings.TrimSpace(strings.ToUpper(k)))
if varName == "" { continue }
ret = append(ret, fmt.Sprintf("%v=%v", varName, v))
}
return ret
}
```

The value `v` is never v

Affected

1 ranges
VendorProductVersion rangeFixed in
github.comolivetin_olivetin>= 0 < 0.0.0-20260531214440-ebffd9f040f70.0.0-20260531214440-ebffd9f040f7
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.