CVE-2026-48709

Published: Giu 15, 2026 Last Modified: Giu 15, 2026
ExploitDB:
Other exploit source:
Google Dorks:
LOW 3,7
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: low
Integrity: none
Availability: none

Description

AI Translation Available

OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, The ValidateArgumentType RPC endpoint in service/internal/api/api.go does not perform any authentication or authorization checks. Unlike all other data-returning API endpoints, it does not call auth.UserFromApiCall or checkDashboardAccess. When AuthRequireGuestsToLogin is enabled (the security-conscious configuration), this endpoint remains accessible to unauthenticated users and can be used as an oracle to enumerate valid action binding IDs and their argument configurations. This issue has been fixed in version 3000.13.0.

862

Missing Authorization

Incomplete
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Integrity Access Control Availability
Potential Impacts:
Read Application Data Read Files Or Directories Modify Application Data Modify Files Or Directories Gain Privileges Or Assume Identity Bypass Protection Mechanism Dos: Crash, Exit, Or Restart Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Dos: Resource Consumption (Other)
Applicable Platforms
Technologies: AI/ML, Web Server, Database Server, Not Technology-Specific
Likelihood of Exploit: High
View CWE Details
https://github.com/OliveTin/OliveTin/releases/tag/3000.13.0
https://github.com/OliveTin/OliveTin/releases/tag/3000.13.0
https://github.com/OliveTin/OliveTin/security/advisories/GH…
https://github.com/OliveTin/OliveTin/security/advisories/GHSA-f637-w7p2-m7fx