CVE Catalog

CVE-2026-48709

LowCVSS 3.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

18th percentile — higher than 18% of all known CVEs

Summary

OliveTin versions 3000.0.0 and prior allow access to predefined shell commands from a web interface. The ValidateArgumentType RPC endpoint does not perform any authentication or authorization checks, allowing unauthenticated users to enumerate valid action binding IDs and their argument configurations.

Risk Assessment

The lack of proper access controls may lead to the disclosure of sensitive information and allow attackers to exploit the system for unauthorized actions.

Recommendation

It is recommended to upgrade to version 3000.13.0, where the issue has been fixed, and to implement appropriate authentication and authorization checks for all API endpoints.

Original NVD description (English source)

OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, The ValidateArgumentType RPC endpoint in service/internal/api/api.go does not perform any authentication or authorization checks. Unlike all other data-returning API endpoints, it does not call auth.UserFromApiCall or checkDashboardAccess. When AuthRequireGuestsToLogin is enabled (the security-conscious configuration), this endpoint remains accessible to unauthenticated users and can be used as an oracle to enumerate valid action binding IDs and their argument configurations. This issue has been fixed in version 3000.13.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS