OliveTin Unauthorized Action Output Disclosure via EventStream
Description
OliveTin gives access to predefined shell commands from a web interface. In 3000.10.2 and earlier, OliveTin’s live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing per-action authorization. A low-privileged authenticated user can receive output from actions they are not allowed to view, resulting in broken access control and sensitive information disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OliveTin 3000.10.2 and earlier broadcasts action execution events and output to all authenticated dashboard subscribers without per-action authorization checks, allowing low-privileged users to view sensitive data.
Vulnerability
Overview
OliveTin is a web interface that provides safe access to predefined shell commands. In OliveTin 3000.10.2 and earlier, the live EventStream endpoint broadcasts execution events and action output to all authenticated dashboard subscribers without enforcing per-action authorization [1][2]. The root cause is that the subscription path (EventStream()) only checks coarse dashboard access, while execution callbacks broadcast to every connected client without a per-recipient ACL check [2].
Exploitation
An attacker with a low-privileged authenticated session can subscribe to the EventStream and receive execution events for actions they are not authorized to view. The advisory [2] includes a proof of concept where a user named 'alice' with no ACLs still receives the ExecutionFinished event for a privileged action, including protected output such as TOPSECRET=alpha-bravo-charlie [2]. The vulnerability is present in the OnExecutionStarted, OnExecutionFinished, and OnOutputChunk callbacks, which broadcast to all connected clients without checking per-action authorization [2].
Impact
Successful exploitation results in broken access control and sensitive information disclosure [1][2]. An authenticated low-privileged user can view the output of actions they are not permitted to access, potentially exposing confidential data or system details [2].
Mitigation
As of the advisory publication date (2026-03-11), the vendor has not released a patched version [2]. Users are advised to restrict access to the OliveTin dashboard to trusted users only and monitor for updates [2][3]. The vulnerability affects all versions up to and including 3000.10.2 [1][2].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/OliveTin/OliveTinGo | < 3000.10.2 | 3000.10.2 |
Affected products
2- OliveTin/OliveTinv5Range: < 3000.10.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-228v-wc5r-j8m7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32102ghsaADVISORY
- github.com/OliveTin/OliveTin/security/advisories/GHSA-228v-wc5r-j8m7ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.