CVE-2026-27626
Received Received - Intake
Unauthenticated Remote Code Execution in OliveTin Shell Mode

Publication date: 2026-02-25

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
OliveTin gives access to predefined shell commands from a web interface. In versions up to and including 3000.10.0, OliveTin's shell mode safety check (`checkShellArgumentSafety`) blocks several dangerous argument types but not `password`. A user supplying a `password`-typed argument can inject shell metacharacters that execute arbitrary OS commands. A second independent vector allows unauthenticated RCE via webhook-extracted JSON values that skip type safety checks entirely before reaching `sh -c`. When exploiting vector 1, any authenticated user (registration enabled by default, `authType: none` by default) can execute arbitrary OS commands on the OliveTin host with the permissions of the OliveTin process. When exploiting vector 2, an unauthenticated attacker can achieve the same if the instance receives webhooks from external sources, which is a primary OliveTin use case. When an attacker exploits both vectors, this results in unauthenticated RCE on any OliveTin instance using Shell mode with webhook-triggered actions. As of time of publication, a patched version is not available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27626
EUVD
EUVD-2026-8600
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
olivetin olivetin to 3000.10.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-27626 is a critical OS Command Injection vulnerability in OliveTin versions up to 3000.10.0. OliveTin provides access to predefined shell commands via a web interface. The vulnerability arises because the shell mode safety check blocks many dangerous argument types but excludes the 'password' type, allowing users to inject shell metacharacters and execute arbitrary OS commands."}, {'type': 'paragraph', 'content': "There are two independent attack vectors: Vector 1 allows any authenticated user to supply a malicious 'password' argument containing shell metacharacters that get executed by the shell. Vector 2 allows unauthenticated attackers to send specially crafted JSON payloads to webhook endpoints, bypassing type safety checks and enabling remote code execution (RCE). When combined, these vectors allow unauthenticated RCE on OliveTin instances using Shell mode with webhook-triggered actions."}] [1]

Impact Analysis

This vulnerability allows attackers to execute arbitrary operating system commands on the OliveTin host with the permissions of the OliveTin process.

  • Authenticated users can exploit Vector 1 to run arbitrary commands by injecting malicious input in password-typed arguments.
  • Unauthenticated attackers can exploit Vector 2 by sending malicious JSON payloads to webhook endpoints, leading to remote code execution without any authentication.

The combined effect is unauthenticated remote code execution, which can compromise the confidentiality, integrity, and availability of the affected system.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring for suspicious command executions and malformed inputs that include shell metacharacters in password arguments or webhook JSON payloads.'}, {'type': 'paragraph', 'content': 'For Vector 1 (authenticated user input), you can check OliveTin API logs for POST requests to /api/StartAction containing password arguments with shell metacharacters such as ;, |, `, or $().'}, {'type': 'paragraph', 'content': 'For Vector 2 (unauthenticated webhook), monitor incoming POST requests to webhook endpoints (e.g., /webhook/git-deploy) for JSON payloads containing suspicious values with shell metacharacters.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts include:'}, {'type': 'list_item', 'content': 'Use network monitoring tools (e.g., tcpdump, Wireshark) to capture HTTP POST requests to /api/StartAction and /webhook/* endpoints and inspect payloads for shell metacharacters.'}, {'type': 'list_item', 'content': 'Search OliveTin server logs for command executions containing suspicious shell metacharacters, for example using grep:'}, {'type': 'list_item', 'content': 'grep -E ";|\\||`|\\$\\(\\)" /path/to/olivetin/logs/*'}, {'type': 'list_item', 'content': 'Check running processes for unexpected shell commands spawned by OliveTin using:'}, {'type': 'list_item', 'content': 'ps aux | grep olivetin'}] [1]

Mitigation Strategies

Immediate mitigation steps include restricting access and disabling vulnerable features until a patch is available.

  • Restrict or disable webhook endpoints that accept unauthenticated POST requests to prevent unauthenticated remote code execution.
  • Disable or restrict Shell mode usage in OliveTin to prevent execution of arbitrary shell commands.
  • Enforce authentication and authorization on all API endpoints, especially /api/StartAction and webhook endpoints.
  • Monitor and audit OliveTin logs for suspicious command executions or unusual activity.
  • Consider network-level controls such as firewall rules to limit access to OliveTin services.

As of the publication date, no patched version is available, so these mitigations are critical to reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27626. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart