CVE-2026-30233
📋 TL;DR
This CVE describes an authorization flaw in OliveTin web interface that allows authenticated users with 'view: false' permission to enumerate action bindings and metadata via dashboard and API endpoints. While execution is correctly denied, users can retrieve sensitive information including action titles, IDs, icons, and argument metadata. This affects all OliveTin instances with users having restricted view permissions.
💻 Affected Systems
- OliveTin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could map the entire command infrastructure, identify sensitive operations, and use the gathered metadata to plan further attacks or social engineering attempts against administrators.
Likely Case
Restricted users gain unauthorized visibility into system operations and command structures, potentially identifying high-value targets for privilege escalation or lateral movement.
If Mitigated
With proper access controls and monitoring, impact is limited to information disclosure without execution capabilities.
🎯 Exploit Status
Exploitation requires valid user credentials with restricted view permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3000.11.1
Vendor Advisory: https://github.com/OliveTin/OliveTin/security/advisories/GHSA-jf73-858c-54pg
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Stop OliveTin service. 3. Update to version 3000.11.1 or later. 4. Restart OliveTin service. 5. Verify functionality.
🔧 Temporary Workarounds
Restrict User Permissions
allTemporarily remove 'view: false' permissions from users or restrict access to dashboard/API endpoints.
# Edit OliveTin configuration to modify user permissions
# Set view: true for all users or restrict dashboard access
🧯 If You Can't Patch
- Implement network segmentation to isolate OliveTin instances from sensitive systems
- Enhance monitoring of API and dashboard access patterns for unusual enumeration attempts
🔍 How to Verify
Check if Vulnerable:
Check OliveTin version and verify if users with 'view: false' permission can access action metadata via dashboard or API endpoints.Check Version:
olivetin --versionVerify Fix Applied:
After patching, test that users with 'view: false' permission cannot retrieve action titles, IDs, icons, or argument metadata.📡 Detection & Monitoring
Log Indicators:
- Unusual API requests from users with restricted permissions
- Multiple sequential requests to action metadata endpoints
Network Indicators:
- Patterns of enumeration requests to /api/actions or dashboard endpoints
SIEM Query:
source="olivetin" AND (uri_path="/api/actions" OR uri_path="/dashboard") AND user_permission="view:false"