CVE-2026-32102 in OliveTin
Summary
by MITRE • 03/11/2026
OliveTin gives access to predefined shell commands from a web interface. In 3000.10.2 and earlier, OliveTin’s live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing per-action authorization. A low-privileged authenticated user can receive output from actions they are not allowed to view, resulting in broken access control and sensitive information disclosure.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/19/2026
OliveTin is a web-based interface that provides access to predefined shell commands through a graphical dashboard, enabling users to execute system-level operations remotely. The vulnerability exists in versions 3000.10.2 and earlier where the system fails to properly enforce authorization controls during real-time event streaming. This flaw specifically affects the EventStream functionality that broadcasts execution events and action outputs to authenticated dashboard subscribers. The system maintains a list of predefined actions that users can execute, each with its own set of permissions and access controls, but the live streaming mechanism does not validate whether subscribers have proper authorization to view the output of specific actions they are not permitted to execute.
The technical implementation flaw stems from the EventStream component's design where it indiscriminately broadcasts action execution data to all authenticated subscribers regardless of their individual permissions for specific actions. This represents a classic broken access control vulnerability where the authorization model fails to properly enforce access restrictions at the data streaming level. The vulnerability allows low-privileged authenticated users to receive output from system commands that should be restricted to higher-privileged users or specific roles. This occurs because the system's permission checking mechanism operates correctly at the action execution level but fails during the live data broadcasting phase, creating a gap where sensitive information can be exposed to unauthorized parties.
The operational impact of this vulnerability is significant as it enables information disclosure attacks where malicious users can gather sensitive data from system commands that they should not have access to. An attacker with low privileges could potentially collect system information, configuration details, or other sensitive outputs from commands that are normally restricted to administrators or specific user roles. This could lead to reconnaissance activities where attackers gather intelligence about the system's configuration, installed software, or network setup. The vulnerability affects the confidentiality aspect of the CIA triad and can be leveraged as a stepping stone for further attacks, potentially allowing privilege escalation or information gathering that could be used in subsequent exploitation phases.
This vulnerability aligns with CWE-285, which addresses improper authorization issues in systems, and can be categorized under ATT&CK technique T1078 for valid accounts and T1005 for data from local system. The security implications extend beyond simple information disclosure as this represents a failure in the principle of least privilege enforcement. Organizations using OliveTin should immediately update to versions that address this authorization gap in the EventStream functionality. Mitigation strategies include implementing proper access control checks during data streaming, ensuring that only authorized users receive output from actions they are permitted to execute, and conducting regular security reviews of real-time data broadcasting mechanisms. Additionally, network segmentation and monitoring of dashboard access patterns can help detect potential abuse of this vulnerability.