CVE-2026-27626 in OliveTin
Summary
by MITRE • 02/25/2026
OliveTin gives access to predefined shell commands from a web interface. In versions up to and including 3000.10.0, OliveTin's shell mode safety check (`checkShellArgumentSafety`) blocks several dangerous argument types but not `password`. A user supplying a `password`-typed argument can inject shell metacharacters that execute arbitrary OS commands. A second independent vector allows unauthenticated RCE via webhook-extracted JSON values that skip type safety checks entirely before reaching `sh -c`. When exploiting vector 1, any authenticated user (registration enabled by default, `authType: none` by default) can execute arbitrary OS commands on the OliveTin host with the permissions of the OliveTin process. When exploiting vector 2, an unauthenticated attacker can achieve the same if the instance receives webhooks from external sources, which is a primary OliveTin use case. When an attacker exploits both vectors, this results in unauthenticated RCE on any OliveTin instance using Shell mode with webhook-triggered actions. As of time of publication, a patched version is not available.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/25/2026
OliveTin represents a web-based interface that provides access to predefined shell commands, making it a critical component in automation and system management workflows. The vulnerability described in CVE-2026-27626 exposes a fundamental security flaw in the application's command execution handling mechanisms. This vulnerability affects versions up to and including 3000.10.0 and demonstrates a critical oversight in input validation that could lead to complete system compromise. The security architecture of OliveTin relies on a safety check mechanism called `checkShellArgumentSafety` which is designed to prevent dangerous argument types from being executed as shell commands. However, this safety mechanism contains a significant gap that allows `password`-typed arguments to bypass the intended protections, creating a pathway for malicious command injection.
The technical exploitation of this vulnerability occurs through two distinct but complementary attack vectors that together create a comprehensive remote code execution threat. The first vector targets the `checkShellArgumentSafety` function which explicitly blocks several dangerous argument types but fails to properly handle `password`-typed arguments. When a user supplies a password argument containing shell metacharacters such as semicolons, pipes, or backticks, these characters are not properly sanitized before being passed to the shell execution layer. This allows an attacker to inject arbitrary OS commands that execute with the privileges of the OliveTin process. The second vector operates through webhook functionality where JSON values extracted from incoming webhooks bypass all type safety checks entirely before reaching the `sh -c` execution command. This design flaw means that any webhook-triggered action can directly execute shell commands without proper sanitization, creating an unauthenticated attack surface.
The operational impact of this vulnerability is severe and affects all OliveTin installations using Shell mode with webhook-triggered actions. The default configuration of OliveTin enables registration and authentication is disabled by default through `authType: none`, meaning that any authenticated user can exploit the vulnerability to execute arbitrary OS commands. This creates a privilege escalation scenario where even a basic user account can gain system-level access. When both attack vectors are exploited simultaneously, the vulnerability becomes particularly dangerous as it allows unauthenticated remote code execution against any affected OliveTin instance. The implications extend beyond simple command execution to include potential privilege escalation, data exfiltration, and system compromise. Organizations relying on OliveTin for automation workflows face significant risk, as the vulnerability can be exploited by external attackers without requiring any authentication credentials.
The vulnerability aligns with CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and CWE-20 (Improper Input Validation) which are fundamental security weaknesses in command injection and input sanitization. From an ATT&CK perspective, this vulnerability maps to T1059.004 (Unix Shell) and T1068 (Exploitation for Privilege Escalation) within the Execution and Privilege Escalation phases. The lack of a patched version at the time of publication creates a particularly concerning scenario for organizations, as they must either implement workarounds or migrate away from vulnerable versions. The security implications are compounded by the fact that webhook functionality is a primary use case for OliveTin, making the attack surface larger than typical command injection vulnerabilities. Organizations should immediately disable webhook functionality if not required, implement network-level restrictions to prevent unauthorized webhook access, and consider disabling Shell mode functionality until a proper patch is available. The vulnerability demonstrates a critical failure in the security design process where input validation was not comprehensive enough to address all argument types, highlighting the need for more robust and complete sanitization mechanisms in automation tools.