CVE-2026-30233

MEDIUM EPSS 33.4%
Published Mar 6, 20263mo ago · Modified Jun 17, 20261w ago
4.3 CVSS 3.1
Medium
Find Similar
Published Mar 6, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution (exec) may be correctly denied, the backend does not enforce IsAllowedView() when constructing dashboard and action binding responses. As a result, restricted users can retrieve action titles, IDs, icons, and argument metadata. This issue has been patched in version 3000.11.1.

CVSS Details

Base Score
4.3
Exploitability
2.8
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
33.4% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure
CWE-862 Missing Authorization Authorization

Affected Products 1

VendorProductVersionRange
olivetinolivetin* <3000.11.1

References 3

  • github.com https://github.com/OliveTin/OliveTin/commit/d7962710e7c46f6bdda4188b5b0cdbde4be665a0
    Patch
  • github.com https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1
    ProductRelease Notes
  • github.com https://github.com/OliveTin/OliveTin/security/advisories/GHSA-jf73-858c-54pg
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/OliveTin/OliveTin/commit/d7962710e7c46f6bdda4188b5b0cdbde4be665a0
    Patch