VYPR
← All advisories
High severity7.5NVD Advisory· Published Jun 15, 2026

CVE-2026-48708

CVE-2026-48708

Description

A race condition in OliveTin's template engine allows concurrent requests to corrupt command templates, leading to cross-user command contamination or Go runtime panic.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A race condition in OliveTin's template engine allows concurrent requests to corrupt command templates, leading to cross-user command contamination or Go runtime panic.

Vulnerability

A race condition exists in OliveTin's template engine due to a single shared text/template.Template instance (tpl package-level variable in service/internal/tpl/templates.go) used across all goroutines without synchronization. Every action execution calls tpl.Parse(source) followed by t.Execute(), which modifies and reads the same internal tree concurrently. This affects all versions up to and including 3000.0.0, as the shared template has existed since the template system was introduced [1].

Exploitation

An attacker needs only network access to the OliveTin web interface, where predefined shell commands are exposed. The race condition is triggered by sending multiple concurrent action requests (each spawning a goroutine) that involve template rendering with dynamic arguments. No authentication or special privileges are required if the instance is publicly accessible; the attacker can simply submit two or more requests simultaneously to induce the race [1].

Impact

Successful exploitation can result in cross-user command contamination: one user's arguments may be rendered into another user's shell command, leading to unintended command execution that could access sensitive data or perform harmful actions. Additionally, the race can cause a Go runtime panic due to concurrent map writes, resulting in a denial of service. The overall impact is high confidentiality, integrity, and availability compromise [1].

Mitigation

The vulnerability is patched in version 3000.13.0, released alongside this CVE. Users must upgrade to 3000.13.0 immediately to eliminate the race condition. No workaround exists for earlier versions. The issue is not currently listed on the CISA Known Exploited Vulnerabilities catalog [2].

References
  1. Concurrent Template Parsing Race Condition — Cross-Request Command Contamination
  2. Release 3000.13.0 · OliveTin/OliveTin

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • OliveTin/Olivetinreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <=3000.0.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing synchronization on a shared `text/template.Template` instance allows concurrent `Parse` and `Execute` calls to race, leading to cross-request command contamination and process crashes."

Attack vector

An attacker with network access to the OliveTin web interface triggers two or more action executions concurrently (e.g., by firing simultaneous HTTP POST requests to `/api/StartAction`). Because each request runs in a separate goroutine and the template engine uses a single unsynchronized `text/template.Template` instance, one goroutine's `Parse` can overwrite the internal template tree while another goroutine's `Execute` is still reading it [ref_id=1]. This race can cause cross-user command contamination (User A's arguments rendered in User B's shell command), a Go runtime panic from concurrent map writes (process crash), or execution of unintended shell commands. The CVSS reflects the need for low privileges and high attack complexity (the race window must be hit).

Affected code

The race condition lives in `service/internal/tpl/templates.go`, where a package-level `var tpl = template.New("tpl")` is shared across all goroutines. Every action execution calls `parseTemplate` which performs `tpl.Parse(source)` followed by `t.Execute()` on that same singleton without any synchronization. The call chain from `service/internal/executor/executor.go` shows that each `ExecRequest` spawns a goroutine, so concurrent actions race on the shared template instance.

What the fix does

The advisory recommends creating a new template per `parseTemplate` call instead of reusing the package-level singleton: `template.New("").Option("missingkey=error").Funcs(...).Parse(source)` [ref_id=1]. This eliminates the shared mutable state entirely because each goroutine gets its own independent `*template.Template` object, so concurrent `Parse` and `Execute` calls cannot interfere with each other. The patch does not appear in the bundle, but the advisory explicitly states that option 1 (new template per call) is the recommended fix.

Preconditions

  • networkAttacker must be able to send HTTP requests to the OliveTin API endpoint `/api/StartAction`
  • configAt least two configured actions must exist so that concurrent execution can be triggered
  • authThe attacker must have valid credentials or the instance must allow unauthenticated action execution (low privilege)
  • inputThe race window must be hit by sending concurrent requests (high attack complexity)

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.