CVE-2026-30225
Authentication Context Confusion in OliveTin RestartAction Enables Privilege Escalation
Publication date: 2026-03-06
Last updated on: 2026-03-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| olivetin | olivetin | to 3000.11.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-250 | The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. |
| CWE-441 | The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-30225 is an authentication context confusion vulnerability in OliveTin's RestartAction feature prior to version 3000.11.1."}, {'type': 'paragraph', 'content': 'The vulnerability occurs because RestartAction creates a new internal request without preserving the original caller’s authentication headers or cookies. When this synthetic request is passed to StartAction, the authentication resolver defaults to the guest user.'}, {'type': 'paragraph', 'content': 'If the guest user has broader permissions than the original authenticated user, this fallback causes privilege escalation, allowing a low-privileged authenticated user to bypass access control restrictions and execute arbitrary configured shell commands with elevated privileges.'}, {'type': 'paragraph', 'content': 'This issue has been patched in version 3000.11.1.'}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to privilege escalation and unauthorized command execution by a low-privileged authenticated user.
- Bypass of Access Control List (ACL) restrictions.
- Execution of arbitrary configured shell actions with elevated privileges.
- Potential arbitrary file writes.
- Exposure of sensitive data.
- Possible full host compromise depending on OliveTin runtime privileges.
The impact is significant in deployments where the guest user has execution permissions and restricted users do not, and where the RestartAction endpoint is accessible.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a low-privileged authenticated user exploiting the RestartAction endpoint to execute shell commands with guest user privileges due to authentication context confusion.
To detect this vulnerability on your system, you should monitor for unusual or unauthorized execution of shell commands initiated via the RestartAction API endpoint, especially actions executed with guest user privileges.
Since the issue arises when RestartAction creates a new internal request without preserving authentication headers, you can look for suspicious API calls to RestartAction that result in privilege escalation.
- Check your OliveTin server logs for RestartAction API calls and verify if the execution tracking IDs correspond to actions executed as guest rather than the authenticated user.
- Use network monitoring tools to capture HTTP requests to the RestartAction endpoint and inspect headers to see if authentication headers are missing or replaced.
- If you have access to the OliveTin API, you can run commands or scripts to query the execution logs and verify the user context under which actions were executed.
Specific commands are not provided in the available resources, but general approaches include reviewing API call logs, searching for RestartAction usage, and verifying user permissions associated with executed actions.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation step is to upgrade OliveTin to version 3000.11.1 or later, where this vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'The patch ensures that RestartAction preserves the original caller’s authentication context, preventing fallback to the guest user and unauthorized privilege escalation.'}, {'type': 'list_item', 'content': 'Upgrade OliveTin to version 3000.11.1 or newer.'}, {'type': 'list_item', 'content': "Review and restrict permissions of the guest user, especially the 'exec' permission, to minimize potential impact if the vulnerability is exploited."}, {'type': 'list_item', 'content': 'Limit access to the RestartAction endpoint to only trusted and necessary users.'}, {'type': 'paragraph', 'content': 'These steps reduce the risk of unauthorized command execution and privilege escalation until the patch is applied.'}] [1, 2]