CVE-2026-30233

MEDIUM

OliveTin <3000.11.1 - Auth Bypass

Title source: llm

Description

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution (exec) may be correctly denied, the backend does not enforce IsAllowedView() when constructing dashboard and action binding responses. As a result, restricted users can retrieve action titles, IDs, icons, and argument metadata. This issue has been patched in version 3000.11.1.

References (3)

[Patch] https://github.com/OliveTin/OliveTin/commit/d7962710e7c46f6bdda4188b5b0cdbde4be665a0

View Patch ZIP pw:eip

[Release Notes] https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1

[Vendor Advisory] https://github.com/OliveTin/OliveTin/security/advisories/GHSA-jf73-858c-54pg

Scores

CVSS v3 6.5

EPSS 0.0004

EPSS Percentile 10.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-200 CWE-862

Status draft

Timeline

Published Mar 06, 2026

Tracked Since Mar 07, 2026