OliveTin's unsafe parsing of UniqueTrackingId can be used to write files
Description
OliveTin gives access to predefined shell commands from a web interface. Prior to 3000.11.2, when the saveLogs feature is enabled, OliveTin persists execution log entries to disk. The filename used for these log files is constructed in part from the user-supplied UniqueTrackingId field in the StartAction API request. This value is not validated or sanitized before being used in a file path, allowing an attacker to use directory traversal sequences (e.g., ../../../) to write files to arbitrary locations on the filesystem. This vulnerability is fixed in 3000.11.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OliveTin before 3000.11.2 allows directory traversal via unsanitized UniqueTrackingId in StartAction API, enabling arbitrary file writes when saveLogs is enabled.
Vulnerability
Overview
OliveTin, a web interface for executing predefined shell commands, prior to version 3000.11.2 contains a path traversal vulnerability in its log file writing mechanism. When the saveLogs feature is enabled, the application constructs log filenames using the user-supplied UniqueTrackingId field from the StartAction API request. This value is not validated or sanitized before being used in a file path, allowing directory traversal sequences (e.g., ../../../) to escape the intended log directory [1][2].
Exploitation
An attacker can exploit this by sending a crafted StartAction request (via Connect RPC or REST) containing a UniqueTrackingId with path traversal characters. The code only replaces the tracking ID with a UUID if it is empty or a duplicate; otherwise, the user-supplied string is accepted as-is. The path.Join function used to construct the final file path resolves .. segments, causing the file to be written outside the configured log directory [2]. No authentication is mentioned as a prerequisite, but the attacker must have network access to the OliveTin API.
Impact
Successful exploitation allows an attacker to write files to arbitrary locations on the filesystem. The written files are YAML and .log files containing execution log entries, which may include attacker-controlled data such as action titles. This could lead to overwriting critical system files, planting malicious scripts, or other arbitrary file write consequences, potentially leading to remote code execution or privilege escalation [2].
Mitigation
The vulnerability is fixed in OliveTin version 3000.11.2. Users are strongly advised to upgrade to this version or later. The release notes explicitly mention the fix for this security issue (GHSA-364q-w7vh-vhpc) [4]. No workaround is documented.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/OliveTin/OliveTinGo | < 0.0.0-20260309102040-b03af0e2eca3 | 0.0.0-20260309102040-b03af0e2eca3 |
Affected products
2- OliveTin/OliveTinv5Range: < 3000.11.2
Patches
12f77000de44fsecurity: GHSA-364q-w7vh-vhpc (HIGH) Unsafe parsing of UniqueTrackingId can be used to write files
1 file changed · +10 −2
service/internal/executor/executor.go+10 −2 modified@@ -20,6 +20,7 @@ import ( "os" "os/exec" "path" + "regexp" "strings" "sync" "time" @@ -30,6 +31,14 @@ const ( MaxTriggerDepth = 10 ) +var validTrackingIDPattern = regexp.MustCompile(`^[a-fA-F0-9\-]+$`) + +func isValidTrackingID(id string) bool { + const MaxTrackingIDLength = 36 + + return id != "" && len(id) <= MaxTrackingIDLength && validTrackingIDPattern.MatchString(id) +} + var ( metricActionsRequested = promauto.NewCounter(prometheus.CounterOpts{ Name: "olivetin_actions_requested_count", @@ -506,8 +515,7 @@ func (e *Executor) ExecRequest(req *ExecutionRequest) (*sync.WaitGroup, string) } _, isDuplicate := e.GetLog(req.TrackingID) - - if isDuplicate || req.TrackingID == "" { + if isDuplicate || !isValidTrackingID(req.TrackingID) { req.TrackingID = uuid.NewString() }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-364q-w7vh-vhpcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-31817ghsaADVISORY
- github.com/OliveTin/OliveTin/commit/2f77000de44f65690f257e3cf8e2c8462b0e74c7ghsaWEB
- github.com/OliveTin/OliveTin/releases/tag/3000.11.2ghsaWEB
- github.com/OliveTin/OliveTin/security/advisories/GHSA-364q-w7vh-vhpcghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.