CVE-2026-30225

Name of the Vulnerable Software and Affected Versions OliveTin versions prior to 3000.11.1

Description OliveTin allows access to predefined shell commands from a web interface. A flaw exists in the RestartAction functionality where a low-privileged authenticated user can execute actions they are not permitted to run. This occurs because RestartAction creates a new internal request without preserving the original caller’s authentication, causing the authentication resolver to fall back to the guest user. If the guest account has broader permissions than the authenticated user, this results in privilege escalation and unauthorized command execution. The issue stems from the construction of a new connect.Request within RestartAction, which omits the original caller’s authentication headers and cookies. This allows a user to bypass Access Control Lists (ACL) and execute arbitrary configured shell actions. The vulnerable files include service/internal/api/api.go and service/internal/auth/authcheck.go. The StartAction function and the UserFromApiCall() function are involved in the authentication process. A proof of concept demonstrates that a low-privileged user can execute commands by leveraging the RestartAction endpoint and an execution tracking ID. This can lead to arbitrary file writes, sensitive data exposure, and potential full host compromise, depending on the runtime privileges of OliveTin.

Recommendations Update OliveTin to version 3000.11.1 or later.