13 matches found
CVE-2026-48709
OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, The ValidateArgumentType RPC endpoint in service/internal/api/api.go does not perform any authentication or authorization checks. Unlike all other data-returning API endpoints, it does not cal...
PT-2026-49472
Name of the Vulnerable Software and Affected Versions OliveTin versions prior to 3000.13.0 Description The 'ValidateArgumentType' RPC endpoint in service/internal/api/api.go lacks authentication and authorization checks, failing to call auth.UserFromApiCall or checkDashboardAccess. Even when...
SUSE CVE-2026-30233
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution exec may be...
CVE-2026-30233
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution exec may be...
CVE-2026-30233
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution exec may be...
CVE-2026-30233 OliveTin: View permission not being checked when returning dashboards
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution exec may be...
CVE-2026-30233 OliveTin: View permission not being checked when returning dashboards
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution exec may be...
CVE-2026-30233
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution exec may be...
CVE-2026-30233 OliveTin: View permission not being checked when returning dashboards
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution exec may be...
CVE-2026-30233
Technical details for CVE-2026-30233 are not publicly available in the provided connected documents. Monitor for updates.
GHSA-JF73-858C-54PG OliveTin doesn't check view permission when returning dashboards
Summary An authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution exec may be correctly denied, the backend does not enforce IsAllowedView when constructing dashboard and...
OliveTin doesn't check view permission when returning dashboards
Summary An authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution exec may be correctly denied, the backend does not enforce IsAllowedView when constructing dashboard and...
PT-2026-23617
Name of the Vulnerable Software and Affected Versions OliveTin versions prior to 3000.11.1 Description OliveTin has an authorization issue where authenticated users with insufficient permissions view: false can access metadata related to actions through the dashboard and API endpoints...