Description
OliveTin gives access to predefined shell commands from a web interface. In 3000.10.2 and earlier, OliveTin’s live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing per-action authorization. A low-privileged authenticated user can receive output from actions they are not allowed to view, resulting in broken access control and sensitive information disclosure.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/OliveTin/OliveTin/security/advisories/GHSA-228v-wc5r-j8m7
Scores
CVSS v3
6.5
EPSS
0.0043
EPSS Percentile
34.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-284
CWE-863
Status
published
Products (2)
olivetin/olivetin
< 3000.10.2
OliveTin/OliveTin
0 - 3000.10.2Go
Published
Mar 11, 2026
Tracked Since
Mar 12, 2026