CVE-2026-30233

Name of the Vulnerable Software and Affected Versions OliveTin versions prior to 3000.11.1

Description OliveTin has an authorization issue where authenticated users with insufficient permissions (view: false) can access metadata related to actions through the dashboard and API endpoints. Specifically, the backend does not properly enforce view permissions when generating responses for dashboard and action binding information. This allows restricted users to retrieve details like action titles, IDs, icons, and argument metadata, even though they are not authorized to execute those actions. The vulnerable API endpoints include '/api/GetDashboard' and '/api/GetActionBinding'. The vulnerable parameter is bindingId in the '/api/GetActionBinding' endpoint. The issue stems from a failure to enforce the IsAllowedView() function when constructing these responses.

Recommendations Update OliveTin to version 3000.11.1 or later.