CVE-2026-48709
LowCVSS 3.7Exploitation Probability (EPSS)
Low risk18th percentile — higher than 18% of all known CVEs
Summary
OliveTin versions 3000.0.0 and prior allow access to predefined shell commands from a web interface. The ValidateArgumentType RPC endpoint does not perform any authentication or authorization checks, allowing unauthenticated users to enumerate valid action binding IDs and their argument configurations.
Risk Assessment
The lack of proper access controls may lead to the disclosure of sensitive information and allow attackers to exploit the system for unauthorized actions.
Recommendation
It is recommended to upgrade to version 3000.13.0, where the issue has been fixed, and to implement appropriate authentication and authorization checks for all API endpoints.
Original NVD description (English source)
OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, The ValidateArgumentType RPC endpoint in service/internal/api/api.go does not perform any authentication or authorization checks. Unlike all other data-returning API endpoints, it does not call auth.UserFromApiCall or checkDashboardAccess. When AuthRequireGuestsToLogin is enabled (the security-conscious configuration), this endpoint remains accessible to unauthenticated users and can be used as an oracle to enumerate valid action binding IDs and their argument configurations. This issue has been fixed in version 3000.13.0.

