CVE-2026-48709

Vulnerability

In OliveTin versions 3000.0.0 and prior, the ValidateArgumentType RPC endpoint in service/internal/api/api.go does not enforce any authentication or authorization checks. Unlike other data-returning API endpoints such as WhoAmI and GetDashboard, it does not call auth.UserFromApiCall or checkDashboardAccess. This means that even when AuthRequireGuestsToLogin is enabled (the security-conscious configuration), the endpoint remains accessible to unauthenticated users [1]. The endpoint acts as an oracle, returning different responses (valid: true or action/argument not found) based on whether the provided BindingId and argument exist [1].

Exploitation

An unauthenticated attacker with network access to the OliveTin web interface can send requests to the ValidateArgumentType endpoint without any authentication token or session. By brute-forcing or guessing BindingId strings and argument names, the attacker can observe whether the endpoint returns a success or a "not found" error, thereby enumerating valid action binding IDs and their argument configurations [1]. No prior authentication, user interaction, or special privileges are required.

Impact

A successful enumeration attack reveals internal configuration details—specifically, the set of valid action bindings and their argument types—to an unauthenticated attacker. This information disclosure alone is rated Low severity (CVSS 3.7) because it does not directly lead to code execution or data modification. However, it can inform further targeted attacks or social engineering efforts [1].

Mitigation

The vulnerability has been fixed in OliveTin version 3000.13.0 [2]. Users should upgrade to this version or later. If immediate upgrade is not possible, restricting network access to the OliveTin web interface to trusted networks or adding a reverse proxy with authentication may reduce exposure. The fix was released as part of a security update that also addresses a high-severity issue (GHSA-7fq5-7w7p2-m7fx) [2].