CVE-2026-48709
Deferred Deferred - Pending Action

ValidateArgumentType RPC Endpoint Authentication Bypass in OliveTin

Vulnerability report for CVE-2026-48709, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description

OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, The ValidateArgumentType RPC endpoint in service/internal/api/api.go does not perform any authentication or authorization checks. Unlike all other data-returning API endpoints, it does not call auth.UserFromApiCall or checkDashboardAccess. When AuthRequireGuestsToLogin is enabled (the security-conscious configuration), this endpoint remains accessible to unauthenticated users and can be used as an oracle to enumerate valid action binding IDs and their argument configurations. This issue has been fixed in version 3000.13.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-24
Generated
2026-07-06
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
olivetin olivetin to 3000.13.0 (exc)
olivetin olivetin 3000.13.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in OliveTin versions 3000.0.0 and prior, where the ValidateArgumentType RPC endpoint does not perform any authentication or authorization checks. Unlike other API endpoints, it does not verify the user's identity or access rights. As a result, even when the security setting AuthRequireGuestsToLogin is enabled, unauthenticated users can access this endpoint.

This allows attackers to use the endpoint as an oracle to enumerate valid action binding IDs and their argument configurations, potentially revealing sensitive information about the system's internal commands.

The issue was fixed in version 3000.13.0.

Impact Analysis

The vulnerability can impact you by allowing unauthenticated users to gain information about valid action bindings and their argument configurations through the vulnerable API endpoint.

Although the CVSS score indicates a low severity (3.7) with limited impact (confidentiality impact only), this information disclosure could be leveraged by attackers to plan further attacks or exploit other vulnerabilities.

Mitigation Strategies

To mitigate this vulnerability, upgrade OliveTin to version 3000.13.0 or later, where the issue has been fixed.

Additionally, ensure that the AuthRequireGuestsToLogin setting is properly configured and consider restricting access to the ValidateArgumentType RPC endpoint until the upgrade is applied.

Detection Guidance

This vulnerability involves the ValidateArgumentType RPC endpoint in OliveTin versions 3000.0.0 and prior, which does not perform authentication or authorization checks. To detect if your system is vulnerable, you can attempt to access this endpoint without authentication and observe if it returns data.

A possible detection method is to send an unauthenticated request to the ValidateArgumentType RPC endpoint and check if it responds with valid action binding IDs or argument configurations.

  • Use a command like: curl -X POST http://<target-host>/service/internal/api/ValidateArgumentType -d '{}' -v
  • If the response returns data without requiring authentication, the system is likely vulnerable.

Note that this endpoint should require authentication in secure configurations, so any unauthenticated access indicates the presence of the vulnerability.

Compliance Impact

This vulnerability allows unauthenticated users to access the ValidateArgumentType RPC endpoint, which can be used to enumerate valid action binding IDs and their argument configurations. However, the CVE description does not provide specific information about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48709. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart