Executive Summary

CVE-2026-30233 is an authorization flaw in OliveTin versions prior to 3000.11.1. The vulnerability occurs because the system does not properly enforce view permissions when returning dashboard and action binding metadata via API endpoints. Although execution permissions are correctly checked, users without view permissions (view:false) can still access sensitive information such as action titles, IDs, icons, descriptions, and argument metadata through the dashboard and API responses.

This happens because the backend fails to call the IsAllowedView() check when constructing dashboard and action binding responses, allowing restricted users to enumerate action bindings and metadata even though they cannot execute the actions.

The issue was patched in version 3000.11.1 by adding proper permission checks on dashboard and action binding retrieval, improving error handling, and enforcing access control consistently.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing authenticated users who should not have view permissions to access sensitive dashboard and action metadata. Although they cannot execute actions, they can still see confidential operational details such as action titles, IDs, icons, descriptions, and argument metadata.

This exposure of sensitive information could lead to information leakage, which might be used to plan further attacks or gain insights into system operations that should remain restricted.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access dashboard and action binding metadata via the OliveTin API endpoints as an authenticated user with restricted view permissions (view:false). Specifically, you can test if the API returns detailed action metadata such as titles, IDs, icons, descriptions, and argument metadata despite lacking view permissions.'}, {'type': 'paragraph', 'content': 'A proof of concept involves using API calls to the GetDashboard and GetActionBinding endpoints while logged in as a low-privilege user. If these endpoints return full metadata for restricted actions instead of an empty result or HTTP 403 Forbidden, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'Suggested commands would involve making authenticated HTTP requests to the API endpoints, for example using curl:'}, {'type': 'list_item', 'content': 'curl -X GET -H "Authorization: Bearer <token>" https://<olivetin-server>/api/GetDashboard'}, {'type': 'list_item', 'content': 'curl -X GET -H "Authorization: Bearer <token>" https://<olivetin-server>/api/GetActionBinding?actionId=<id>'}, {'type': 'paragraph', 'content': 'Replace <token> with a token for a user with view:false permission and <id> with an action binding ID. If the response includes detailed action metadata, the vulnerability is present.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation is to upgrade OliveTin to version 3000.11.1 or later, where this authorization flaw has been patched.

The patch enforces proper permission checks (IsAllowedView) on dashboard and action binding API endpoints, preventing unauthorized users from enumerating sensitive metadata.

Until the upgrade can be applied, consider restricting access to the OliveTin API endpoints to trusted users only, and monitor for suspicious API calls that attempt to enumerate action metadata.

Additionally, review and tighten user permissions to ensure that users without view permissions cannot authenticate or access the system.

Useful 0 Not Useful 0