CVE-2026-48709
Received Received - Intake
BaseFortify

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description
OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, The ValidateArgumentType RPC endpoint in service/internal/api/api.go does not perform any authentication or authorization checks. Unlike all other data-returning API endpoints, it does not call auth.UserFromApiCall or checkDashboardAccess. When AuthRequireGuestsToLogin is enabled (the security-conscious configuration), this endpoint remains accessible to unauthenticated users and can be used as an oracle to enumerate valid action binding IDs and their argument configurations. This issue has been fixed in version 3000.13.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-48709
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
olivetin olivetin to 3000.13.0 (exc)
olivetin olivetin 3000.13.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OliveTin versions 3000.0.0 and prior, where the ValidateArgumentType RPC endpoint does not perform any authentication or authorization checks. Unlike other API endpoints, it does not verify the user's identity or access rights. As a result, even when the security setting AuthRequireGuestsToLogin is enabled, unauthenticated users can access this endpoint.

This allows attackers to use the endpoint as an oracle to enumerate valid action binding IDs and their argument configurations, potentially revealing sensitive information about the system's internal commands.

The issue was fixed in version 3000.13.0.

Impact Analysis

The vulnerability can impact you by allowing unauthenticated users to gain information about valid action bindings and their argument configurations through the vulnerable API endpoint.

Although the CVSS score indicates a low severity (3.7) with limited impact (confidentiality impact only), this information disclosure could be leveraged by attackers to plan further attacks or exploit other vulnerabilities.

Mitigation Strategies

To mitigate this vulnerability, upgrade OliveTin to version 3000.13.0 or later, where the issue has been fixed.

Additionally, ensure that the AuthRequireGuestsToLogin setting is properly configured and consider restricting access to the ValidateArgumentType RPC endpoint until the upgrade is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48709. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart