CVE-2026-27626
Description
OliveTin gives access to predefined shell commands from a web interface. In versions up to and including 3000.10.0, OliveTin's shell mode safety check (`checkShellArgumentSafety`) blocks several dangerous argument types but not `password`. A user supplying a `password`-typed argument can inject shell metacharacters that execute arbitrary OS commands. A second independent vector allows unauthenticated RCE via webhook-extracted JSON values that skip type safety checks entirely before reaching `sh -c`. When exploiting vector 1, any authenticated user (registration enabled by default, `authType: none` by default) can execute arbitrary OS commands on the OliveTin host with the permissions of the OliveTin process. When exploiting vector 2, an unauthenticated attacker can achieve the same if the instance receives webhooks from external sources, which is a primary OliveTin use case. When an attacker exploits both vectors, this results in unauthenticated RCE on any OliveTin instance using Shell mode with webhook-triggered actions. As of time of publication, a patched version is not available.
CVSS details
EPSS
This CVE is not currently listed in the EPSS dataset.
Show JSON
{
"cve": {
"id": "CVE-2026-27626",
"cveTags": [],
"metrics": {
"cvssMetricV31": [
{
"type": "Secondary",
"source": "security-advisories@github.com",
"cvssData": {
"scope": "CHANGED",
"version": "3.1",
"baseScore": 9.9,
"attackVector": "NETWORK",
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"integrityImpact": "HIGH",
"userInteraction": "NONE",
"attackComplexity": "LOW",
"availabilityImpact": "HIGH",
"privilegesRequired": "LOW",
"confidentialityImpact": "HIGH"
},
"impactScore": 6,
"exploitabilityScore": 3.1
}
]
},
"published": "2026-02-25T03:16:06.347",
"references": [
{
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-49gm-hh7w-wfvf",
"tags": [
"Exploit",
"Vendor Advisory"
],
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-49gm-hh7w-wfvf",
"tags": [
"Exploit",
"Vendor Advisory"
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"
}
],
"vulnStatus": "Analyzed",
"weaknesses": [
{
"type": "Secondary",
"source": "security-advisories@github.com",
"description": [
{
"lang": "en",
"value": "CWE-78"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OliveTin gives access to predefined shell commands from a web interface. In versions up to and including 3000.10.0, OliveTin's shell mode safety check (`checkShellArgumentSafety`) blocks several dangerous argument types but not `password`. A user supplying a `password`-typed argument can inject shell metacharacters that execute arbitrary OS commands. A second independent vector allows unauthenticated RCE via webhook-extracted JSON values that skip type safety checks entirely before reaching `sh -c`. When exploiting vector 1, any authenticated user (registration enabled by default, `authType: none` by default) can execute arbitrary OS commands on the OliveTin host with the permissions of the OliveTin process. When exploiting vector 2, an unauthenticated attacker can achieve the same if the instance receives webhooks from external sources, which is a primary OliveTin use case. When an attacker exploits both vectors, this results in unauthenticated RCE on any OliveTin instance using Shell mode with webhook-triggered actions. As of time of publication, a patched version is not available."
},
{
"lang": "es",
"value": "OliveTin da acceso a comandos de shell predefinidos desde una interfaz web. En versiones hasta la 3000.10.0 inclusive, la comprobaci\u00f3n de seguridad del modo shell de OliveTin ('checkShellArgumentSafety') bloquea varios tipos de argumentos peligrosos, pero no 'password'. Un usuario que proporciona un argumento de tipo 'password' puede inyectar metacaracteres de shell que ejecutan comandos arbitrarios del sistema operativo. Un segundo vector independiente permite RCE no autenticada a trav\u00e9s de valores JSON extra\u00eddos de webhooks que omiten por completo las comprobaciones de seguridad de tipo antes de llegar a 'sh -c'. Al explotar el vector 1, cualquier usuario autenticado (registro habilitado por defecto, 'authType: none' por defecto) puede ejecutar comandos arbitrarios del sistema operativo en el host de OliveTin con los permisos del proceso de OliveTin. Al explotar el vector 2, un atacante no autenticado puede lograr lo mismo si la instancia recibe webhooks de fuentes externas, lo cual es un caso de uso principal de OliveTin. Cuando un atacante explota ambos vectores, esto resulta en RCE no autenticada en cualquier instancia de OliveTin que utiliza el modo Shell con acciones activadas por webhook. En el momento de la publicaci\u00f3n, no hay disponible una versi\u00f3n parcheada."
}
],
"lastModified": "2026-02-27T18:58:46.380",
"configurations": [
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:olivetin:olivetin:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "E09DB368-3973-4282-A0B6-5576CB6CCD5C",
"versionEndIncluding": "3000.10.0"
}
],
"operator": "OR"
}
]
}
],
"sourceIdentifier": "security-advisories@github.com"
}
}