CVE-2026-30233 Overview
OliveTin is a web-based application that provides access to predefined shell commands through a user-friendly interface. CVE-2026-30233 is an authorization bypass vulnerability discovered in OliveTin versions prior to 3000.11.1. The flaw allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints, exposing sensitive configuration data that should be restricted.
Critical Impact
Authenticated users can bypass view restrictions to retrieve action titles, IDs, icons, and argument metadata, potentially revealing sensitive operational details about configured shell commands.
Affected Products
- OliveTin versions prior to 3000.11.1
Discovery Timeline
- 2026-03-06 - CVE CVE-2026-30233 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-30233
Vulnerability Analysis
This authorization bypass vulnerability stems from improper access control enforcement in OliveTin's API layer. When authenticated users make requests to dashboard and action binding endpoints, the backend fails to enforce the IsAllowedView() permission check when constructing responses. While execution permissions (exec) are correctly validated and denied when appropriate, the view permission is not consistently applied across all code paths.
The vulnerability is classified under CWE-200 (Exposure of Sensitive Information) and CWE-862 (Missing Authorization). The network-based attack vector allows any authenticated user to exploit this flaw remotely without requiring user interaction, though the impact is limited to information disclosure rather than system compromise.
Root Cause
The root cause lies in the findActionForEntity() function within service/internal/api/apiActions.go. The function was iterating through action bindings and returning action data without verifying whether the authenticated user had view permissions for the specific action. The ACL module's IsAllowedView() function existed but was not being called during dashboard and action binding response construction.
Attack Vector
An attacker with valid authentication credentials but restricted view permissions can exploit this vulnerability by:
- Authenticating to the OliveTin web interface with a user account that has view: false configured for certain actions
- Making direct API requests to dashboard endpoints or action binding enumeration endpoints
- Receiving full action metadata including titles, IDs, icons, and argument configurations for actions they should not be able to see
- Using the disclosed information to understand the system's configured commands and potentially craft targeted attacks
The security patch introduces proper view permission checks by calling acl.IsAllowedView() before returning action data:
func bindingMatchesTitleAndEntity(binding *executor.ActionBinding, title string, entity *entities.Entity) bool {
return binding != nil && binding.Action != nil && binding.Action.Title == title && matchesEntity(binding, entity)
}
func (rr *DashboardRenderRequest) findActionForEntity(title string, entity *entities.Entity) *apiv1.Action {
rr.ex.MapActionBindingsLock.RLock()
defer rr.ex.MapActionBindingsLock.RUnlock()
for _, binding := range rr.ex.MapActionBindings {
if !bindingMatchesTitleAndEntity(binding, title, entity) {
continue
}
if !acl.IsAllowedView(rr.cfg, rr.AuthenticatedUser, binding.Action) {
return nil
}
return buildAction(binding, rr)
}
return nil
}
Source: GitHub Commit d7962710e7c46f6bdda4188b5b0cdbde4be665a0
Detection Methods for CVE-2026-30233
Indicators of Compromise
- Unusual API request patterns from authenticated users accessing dashboard or action binding endpoints
- Authenticated users with restricted permissions making repeated requests to enumerate available actions
- Access logs showing requests to /api/ endpoints from users who should have limited visibility
Detection Strategies
- Monitor application logs for API calls to dashboard and action enumeration endpoints by users with restricted permissions
- Implement alerting on successful responses to API endpoints when the requesting user has view: false configured
- Review authentication logs for patterns indicating systematic enumeration of action bindings
Monitoring Recommendations
- Enable detailed access logging for OliveTin API endpoints
- Correlate user permission configurations with API access patterns to identify anomalous behavior
- Implement real-time monitoring for unauthorized information access attempts
How to Mitigate CVE-2026-30233
Immediate Actions Required
- Upgrade OliveTin to version 3000.11.1 or later immediately
- Review access logs for any evidence of exploitation prior to patching
- Audit user accounts and their permission configurations to identify potentially affected restricted users
- Consider temporarily restricting API access until the patch is applied
Patch Information
OliveTin has released version 3000.11.1 which addresses this vulnerability by properly enforcing IsAllowedView() checks when constructing dashboard and action binding responses. The fix is available in commit d7962710e7c46f6bdda4188b5b0cdbde4be665a0.
For detailed patch information, refer to the GitHub Security Advisory GHSA-jf73-858c-54pg and the Release Notes for version 3000.11.1.
Workarounds
- Temporarily disable API access for users with restricted view permissions until patching is complete
- Place OliveTin behind a reverse proxy with additional access controls to limit API endpoint exposure
- Review and minimize the number of user accounts with authentication credentials while maintaining view: false restrictions
# Verify current OliveTin version
olivetin --version
# After upgrade, verify the patched version
olivetin --version
# Expected output: 3000.11.1 or higher
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
