Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
4.3

OliveTin: Authorized Users Can See Sensitive Info

CVE-2026-30233 GHSA-jf73-858c-54pg GHSA-jf73-858c-54pg
Summary

Authenticated users with limited access can view sensitive information, including actions and metadata, in OliveTin versions prior to 3000.11.1. This could potentially lead to unauthorized actions or misuse of the system. Update to version 3000.11.1 or later to patch this vulnerability.

What to do
  • Update github.com olivetin to version 0.0.0-20260305082002-d7962710e7c4.
  • Update olivetin github.com/olivetin/olivetin to version 0.0.0-20260305082002-d7962710e7c4.
Affected software
VendorProductAffected versionsFix available
github.com olivetin <= 0.0.0-20260305082002-d7962710e7c4 0.0.0-20260305082002-d7962710e7c4
olivetin github.com/olivetin/olivetin <= 0.0.0-20260305082002-d7962710e7c4 0.0.0-20260305082002-d7962710e7c4
olivetin olivetin <= 3000.11.1 –
Original title
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enum...
Original description
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution (exec) may be correctly denied, the backend does not enforce IsAllowedView() when constructing dashboard and action binding responses. As a result, restricted users can retrieve action titles, IDs, icons, and argument metadata. This issue has been patched in version 3000.11.1.
nvd CVSS3.1 6.5
Vulnerability type
CWE-200 Information Exposure
CWE-862 Missing Authorization
Published: 6 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026