CVE-2026-30225 Overview
OliveTin is a web-based application that provides access to predefined shell commands through a user-friendly interface. CVE-2026-30225 is an authentication context confusion vulnerability in the RestartAction function that allows a low-privileged authenticated user to execute actions they are not permitted to run, resulting in privilege escalation.
The vulnerability stems from improper handling of authentication context when RestartAction constructs a new internal connect.Request. The synthetic request does not preserve the original caller's authentication headers or cookies, causing the authentication resolver to fall back to the guest user. If the guest account has broader permissions than the authenticated caller, this allows unauthorized command execution.
Critical Impact
Low-privileged users can bypass ACL restrictions and execute arbitrary configured shell actions, potentially compromising system integrity through unauthorized command execution.
Affected Products
- OliveTin versions prior to 3000.11.1
- OliveTin deployments with guest accounts having broader permissions than authenticated users
- Web-accessible OliveTin instances with multi-user access control configurations
Discovery Timeline
- 2026-03-06 - CVE CVE-2026-30225 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-30225
Vulnerability Analysis
This vulnerability is classified as CWE-250 (Execution with Unnecessary Privileges). The authentication context confusion occurs within the RestartAction function, which is responsible for restarting previously executed shell commands. When a user triggers this action, the function creates a new internal request object to call StartAction but fails to properly propagate the original user's authentication context.
The flaw exploits a design weakness in how OliveTin handles request chaining between internal API functions. The application assumes that internal requests should be treated with a default authentication context, but this assumption breaks the principle of least privilege when the default context (guest user) has elevated permissions compared to the actual caller.
Root Cause
The root cause lies in the RestartAction function's construction of synthetic connect.Request objects without preserving authentication state. When the function calls StartAction with this synthetic request, the authentication resolver cannot find valid credentials and defaults to the guest user identity. This creates a privilege escalation vector when:
- The guest user has been configured with broad action permissions
- A low-privileged authenticated user has restricted action permissions
- The authenticated user invokes RestartAction for an action they cannot directly execute
The authentication headers and cookies from the original HTTP request are not carried forward to the internal request, breaking the authentication chain.
Attack Vector
The attack is network-accessible and requires low privileges to execute. An attacker with a low-privileged OliveTin account can exploit this vulnerability by:
- Identifying shell actions that are permitted for the guest user but restricted for their own account
- Triggering the RestartAction endpoint for those restricted actions
- The synthetic internal request falls back to guest authentication
- The action executes with guest-level permissions, bypassing the attacker's ACL restrictions
This vulnerability requires no user interaction and can be exploited remotely. The attack complexity is low as it simply requires invoking an existing API endpoint with crafted parameters. The impact is primarily to integrity, as attackers can execute arbitrary configured shell commands beyond their authorization level.
Detection Methods for CVE-2026-30225
Indicators of Compromise
- Unexpected execution of shell commands by users who should not have access to those actions
- Log entries showing RestartAction calls followed by command executions under guest user context
- Discrepancies between authenticated user sessions and the user context recorded for command executions
- Audit trail gaps where commands executed do not match user permission profiles
Detection Strategies
- Monitor OliveTin logs for authentication context mismatches between request initiators and command executors
- Implement alerting on RestartAction API calls that result in elevated command executions
- Review access control configurations to identify guest accounts with overly permissive action access
- Deploy network monitoring to detect unusual patterns of RestartAction endpoint utilization
Monitoring Recommendations
- Enable verbose logging in OliveTin to capture full authentication context for all action executions
- Establish baseline metrics for normal RestartAction usage patterns per user
- Configure SIEM rules to correlate user authentication events with subsequent command execution logs
- Perform regular audits of guest user permissions against the principle of least privilege
How to Mitigate CVE-2026-30225
Immediate Actions Required
- Upgrade OliveTin to version 3000.11.1 or later immediately
- Review and restrict guest user permissions to the minimum required access
- Audit current user permission configurations for overly permissive guest accounts
- Consider temporarily disabling the RestartAction functionality if immediate patching is not possible
Patch Information
The vulnerability has been addressed in OliveTin version 3000.11.1. The patch ensures that authentication context is properly preserved when internal requests are constructed, preventing the fallback to guest user authentication. The fix is available through the official GitHub release.
For technical details about the fix, refer to the security commit which modifies how RestartAction handles authentication propagation to StartAction.
Additional information is available in the GitHub Security Advisory GHSA-p443-p7w5-2f7f.
Workarounds
- Remove or significantly restrict guest user permissions to prevent privilege escalation
- Implement network-level access controls to limit who can reach the OliveTin web interface
- Disable the RestartAction functionality by removing relevant action configurations until patching is complete
- Deploy a reverse proxy with additional authentication layers in front of OliveTin
# Example: Restrict guest permissions in OliveTin configuration
# In config.yaml, ensure guest has minimal or no action access:
accessControlLists:
- name: guest
matchUsernames:
- guest
allowedActions: [] # Remove all action permissions for guest
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
