CVE-2026-48708
Deferred Deferred - Pending Action

Command Injection Risk in OliveTin Web Interface

Vulnerability report for CVE-2026-48708, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description

OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, the template engine uses a single shared text/template.Template instance (tpl package-level variable in service/internal/tpl/templates.go) across all goroutines. Every action execution calls tpl.Parse(source) followed by t.Execute() on this shared instance with no synchronization. When two or more actions execute concurrently (which is the normal case β€” each ExecRequest spawns a goroutine), a race condition occurs: one goroutine's Parse overwrites the template tree while another goroutine is calling Execute, causing cross-user command contamination, Go runtime panic, and incorrect command execution. This issue has been resolved in version 3000.13.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-24
Generated
2026-07-06
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
olivetin olivetin to 3000.13.0 (exc)
olivetin olivetin 3000.13.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
CWE-567 The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in OliveTin versions 3000.0.0 and prior, where the template engine uses a single shared template instance across all concurrent goroutines without proper synchronization.

When multiple actions execute concurrently, a race condition occurs because one goroutine's parsing of the template can overwrite the template tree while another goroutine is executing it.

This leads to cross-user command contamination, Go runtime panics, and incorrect command execution.

The issue was fixed in version 3000.13.0.

Impact Analysis

This vulnerability can cause several serious impacts including:

  • Cross-user command contamination, meaning commands intended for one user could be executed in the context of another user.
  • Go runtime panics that can crash the application or service.
  • Incorrect command execution, potentially leading to unauthorized actions or system instability.
Mitigation Strategies

To mitigate this vulnerability, upgrade OliveTin to version 3000.13.0 or later, where the issue has been resolved.

Compliance Impact

The vulnerability in OliveTin can lead to cross-user command contamination, privilege escalation, and data leakage due to improper synchronization in template parsing. Such issues can compromise confidentiality, integrity, and availability of data.

These impacts can affect compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access or data breaches.

Specifically, data leakage and privilege escalation could lead to violations of data protection requirements, potentially resulting in regulatory penalties or loss of trust.

Detection Guidance

This vulnerability arises from a race condition in OliveTin's template parsing system when multiple actions execute concurrently, causing cross-user command contamination and potential runtime crashes.

To detect this vulnerability on your system, you can monitor for symptoms such as unexpected command execution results, Go runtime panics, or denial-of-service conditions related to concurrent map writes.

Since the issue is related to concurrent execution and template parsing, direct detection commands are not explicitly provided in the available resources.

However, you can check the version of OliveTin installed to determine if it is vulnerable. Versions 3000.0.0 and prior are affected, and the issue is fixed in version 3000.13.0.

Suggested commands to check the installed version might include:

  • Run `olivetin --version` or check the application metadata to identify the version.
  • Monitor system logs for Go runtime panics or errors related to concurrent map writes.
  • Use network monitoring tools to observe unusual or cross-user command executions from the OliveTin web interface.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48708. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart