CVE-2026-32102
Received
Received - Intake
Broken Access Control in OliveTin EventStream Causes Data Leak
Publication date: 2026-03-11
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
OliveTin gives access to predefined shell commands from a web interface. In 3000.10.2 and earlier, OliveTin’s live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing per-action authorization. A low-privileged authenticated user can receive output from actions they are not allowed to view, resulting in broken access control and sensitive information disclosure.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| olivetin | olivetin | to 3000.10.2 (inc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
