cbcvebase.

Github.Com Olivetin Olivetin vulnerabilities

14 known vulnerabilities affecting github.com/olivetin_olivetin.

Total CVEs
14
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH8MEDIUM4LOW1

Vulnerabilities

Page 1 of 1
CVE-2026-27626P2CRITICAL≥ 0, < 0.0.0-20260222101908-4bbd2eab15322026-02-25
CVE-2026-27626 [CRITICAL] CWE-78 OliveTin: OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks OliveTin: OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks ### Summary OliveTin's shell mode safety check (`checkShellArgumentSafety`) blocks several dangerous argument types but not `password`. A user supplying a `password`-typed argument can inject shell metacharacters that execute arbit
ghsaosv
CVE-2026-31817P2HIGH≥ 0, < 0.0.0-20260309102040-b03af0e2eca32026-03-11
CVE-2026-31817 [HIGH] CWE-22 OliveTin's unsafe parsing of UniqueTrackingId can be used to write files OliveTin's unsafe parsing of UniqueTrackingId can be used to write files When the `saveLogs` feature is enabled, OliveTin persists execution log entries to disk. The filename used for these log files is constructed in part from the user-supplied `UniqueTrackingId` field in the `StartAction` API request. This value is not validated or sanitized before being used in a file path, allowing an attac
ghsaosv
CVE-2026-30223P2HIGH≥ 0, < 0.0.0-20260304231339-e97d8ecbd8d62026-03-05
CVE-2026-30223 [HIGH] CWE-287 OliveTin has JWT Audience Validation Bypass in Local Key and HMAC Modes OliveTin has JWT Audience Validation Bypass in Local Key and HMAC Modes ### Summary When JWT authentication is configured using either: - `authJwtPubKeyPath` (local RSA public key), or - `authJwtHmacSecret` (HMAC secret), the configured audience value (`authJwtAud`) is not enforced during token parsing. As a result, validly signed JWT tokens with an incorrect `aud` claim are accepted for aut
ghsaosv
CVE-2026-48708P3HIGH≥ 0, < 0.0.0-20260521225117-d74da93140052026-06-24
CVE-2026-48708 [HIGH] CWE-362 OliveTin has a Concurrent Template Parsing Race Condition which Leads to Cross-Request Command Contamination OliveTin has a Concurrent Template Parsing Race Condition which Leads to Cross-Request Command Contamination ## Summary OliveTin's template engine uses a **single shared `text/template.Template` instance** (`tpl` package-level variable in `service/internal/tpl/templates.go`) across all goroutines. Every action execution calls `tpl.Parse(source)` followed by
ghsa
CVE-2026-28342P3HIGH≥ 0, < 0.0.0-20260227002407-2eb5f0ba79d42026-03-02
CVE-2026-28342 [HIGH] CWE-400 OliveTin has Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint OliveTin has Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint ## Summary The PasswordHash API endpoint allows unauthenticated users to trigger excessive memory allocation by sending concurrent password hashing requests. By issuing multiple parallel requests, an attacker can exhaust available container memory, leading to service degr
ghsaosv
CVE-2026-28790P3HIGH≥ 0, < 0.0.0-20260302002902-d9804182eae42026-03-02
CVE-2026-28790 [HIGH] CWE-284 OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login ### Summary OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. In the tested release (3000.10.2), guests are correctly blocked from dashboard access, but an still call the KillAction RPC directly and succe
ghsaosv
CVE-2026-28789P3HIGH≥ 0, < 0.0.0-20260301235225-f044d90d5525c2026-03-02
CVE-2026-28789 [HIGH] CWE-362 OliveTin has unauthenticated DoS via concurrent map writes in OAuth2 state handling OliveTin has unauthenticated DoS via concurrent map writes in OAuth2 state handling ### Summary An unauthenticated denial-of-service vulnerability exists in OliveTin’s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This
ghsaosv
CVE-2025-50946P3HIGH≥ 0, ≤ 0.0.0-20250502155356-8c073bf45fca2025-08-13
CVE-2025-50946 [HIGH] CWE-78 OliveTin OS Command Injection vulnerability OliveTin OS Command Injection vulnerability OS Command Injection in Olivetin 2025.4.22 Custom Themes via the ParseRequestURI function in service/internal/executor/arguments.go.
ghsaosv
CVE-2026-32102P3HIGH≥ 0, < 3000.10.22026-03-12
CVE-2026-32102 [HIGH] CWE-284 OliveTin Vulnerable to Unauthorized Action Output Disclosure via EventStream OliveTin Vulnerable to Unauthorized Action Output Disclosure via EventStream ### Summary OliveTin’s live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing per-action authorization. A low-privileged authenticated user can receive output from actions they are not allowed to view, resulting in broken access control and sensitiv
ghsaosv
CVE-2026-30224P3MEDIUM≥ 0, < 0.0.0-20260304233115-d6a0abc3755d152026-03-05
CVE-2026-30224 [MEDIUM] CWE-384 OliveTin Session Fixation: Logout Fails to Invalidate Server-Side Session OliveTin Session Fixation: Logout Fails to Invalidate Server-Side Session ### Summary OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default ≈ 1 year). An attacker with a previously stolen or captured session cookie can continue authenticating after logout, r
ghsaosv
CVE-2026-30225P4MEDIUM≥ 0, < 0.0.0-20260305000458-cb46a597b2462026-03-05
CVE-2026-30225 [MEDIUM] CWE-250 OliveTin's RestartAction always runs actions as guest OliveTin's RestartAction always runs actions as guest ### Summary An authentication context confusion vulnerability in RestartAction allows a low‑privileged authenticated user to execute actions they are not permitted to run. RestartAction constructs a new internal connect.Request without preserving the original caller’s authentication headers or cookies. When this synthetic request is passed to StartAction,
ghsaosv
CVE-2026-30233P4MEDIUM≥ 0, < 0.0.0-20260305082002-d7962710e7c42026-03-05
CVE-2026-30233 [MEDIUM] CWE-200 OliveTin doesn't check view permission when returning dashboards OliveTin doesn't check view permission when returning dashboards ### Summary An authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution (exec) may be correctly denied, the backend does not enforce IsAllowedView() when constructing dashboard and action binding responses. As a r
ghsaosv
CVE-2026-48709P4LOW≥ 0, < 0.0.0-20260521230847-a3865704c8542026-06-24
CVE-2026-48709 [LOW] CWE-862 OliveTin: ValidateArgumentType API Endpoint's Missing Authentication Allows Action and Argument Enumeration OliveTin: ValidateArgumentType API Endpoint's Missing Authentication Allows Action and Argument Enumeration ## Summary The `ValidateArgumentType` RPC endpoint in `service/internal/api/api.go` does not perform any authentication or authorization checks. Unlike all other data-returning API endpoints, it does not call `auth.UserFromApiCall` or `checkDashboardAcc
ghsa
CVE-2026-53541MEDIUM≥ 0, < 0.0.0-20260531214440-ebffd9f040f72026-06-24
CVE-2026-53541 [MEDIUM] CWE-20 OliveTin has Unvalidated `ot_`-prefixed Arguments that Bypass Input Filtering OliveTin has Unvalidated `ot_`-prefixed Arguments that Bypass Input Filtering ### Description The `filterToDefinedArgumentsOnly` function in the executor is intended to discard any arguments not explicitly defined in the action's configuration. However, a special case allows any argument whose name starts with `ot_` to bypass this filter. While two system arguments (`ot_executionTrackin
ghsa
Github.Com Olivetin Olivetin vulnerabilities | cvebase