Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-30225 is an authentication context confusion vulnerability in OliveTin's RestartAction feature prior to version 3000.11.1."}, {'type': 'paragraph', 'content': 'The vulnerability occurs because RestartAction creates a new internal request without preserving the original caller’s authentication headers or cookies. When this synthetic request is passed to StartAction, the authentication resolver defaults to the guest user.'}, {'type': 'paragraph', 'content': 'If the guest user has broader permissions than the original authenticated user, this fallback causes privilege escalation, allowing a low-privileged authenticated user to bypass access control restrictions and execute arbitrary configured shell commands with elevated privileges.'}, {'type': 'paragraph', 'content': 'This issue has been patched in version 3000.11.1.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to privilege escalation and unauthorized command execution by a low-privileged authenticated user.

• Bypass of Access Control List (ACL) restrictions.
• Execution of arbitrary configured shell actions with elevated privileges.
• Potential arbitrary file writes.
• Exposure of sensitive data.
• Possible full host compromise depending on OliveTin runtime privileges.

The impact is significant in deployments where the guest user has execution permissions and restricted users do not, and where the RestartAction endpoint is accessible.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves a low-privileged authenticated user exploiting the RestartAction endpoint to execute shell commands with guest user privileges due to authentication context confusion.

To detect this vulnerability on your system, you should monitor for unusual or unauthorized execution of shell commands initiated via the RestartAction API endpoint, especially actions executed with guest user privileges.

Since the issue arises when RestartAction creates a new internal request without preserving authentication headers, you can look for suspicious API calls to RestartAction that result in privilege escalation.

• Check your OliveTin server logs for RestartAction API calls and verify if the execution tracking IDs correspond to actions executed as guest rather than the authenticated user.
• Use network monitoring tools to capture HTTP requests to the RestartAction endpoint and inspect headers to see if authentication headers are missing or replaced.
• If you have access to the OliveTin API, you can run commands or scripts to query the execution logs and verify the user context under which actions were executed.

Specific commands are not provided in the available resources, but general approaches include reviewing API call logs, searching for RestartAction usage, and verifying user permissions associated with executed actions.

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation step is to upgrade OliveTin to version 3000.11.1 or later, where this vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'The patch ensures that RestartAction preserves the original caller’s authentication context, preventing fallback to the guest user and unauthorized privilege escalation.'}, {'type': 'list_item', 'content': 'Upgrade OliveTin to version 3000.11.1 or newer.'}, {'type': 'list_item', 'content': "Review and restrict permissions of the guest user, especially the 'exec' permission, to minimize potential impact if the vulnerability is exploited."}, {'type': 'list_item', 'content': 'Limit access to the RestartAction endpoint to only trusted and necessary users.'}, {'type': 'paragraph', 'content': 'These steps reduce the risk of unauthorized command execution and privilege escalation until the patch is applied.'}] [1, 2]

Useful 0 Not Useful 0