CVE-2026-32102

Name of the Vulnerable Software and Affected Versions OliveTin versions 3000.10.2 and earlier

Description OliveTin allows access to predefined shell commands through a web interface. In versions 3000.10.2 and earlier, the live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing authorization on a per-action basis. This allows a low-privileged authenticated user to receive output from actions they are not permitted to view, resulting in broken access control and the disclosure of sensitive information. The issue resides in the live event streaming path, specifically within the EventStream() function, which only verifies dashboard access during subscription. Execution callbacks broadcast to all connected clients without checking recipient authorization before sending action metadata or output. The vulnerable functions involved are OnExecutionStarted, OnExecutionFinished, and OnOutputChunk. The event payload includes action output via internalLogEntryToPb and Output. A proof-of-concept (PoC) test demonstrates that a user without relevant access control lists (ACLs) can still receive streamed completion events and protected action output. This impacts multi-user OliveTin deployments where privileged actions produce sensitive data.

Recommendations Versions prior to 3000.10.2 are affected.