CVE-2026-48709

LOW 3.7

OliveTin: ValidateArgumentType API Endpoint Missing Authentication Allows Action and Argument Enumeration

CVSS Score

3.7

EPSS Score

0.0%

EPSS Percentile

0th

OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, The ValidateArgumentType RPC endpoint in service/internal/api/api.go does not perform any authentication or authorization checks. Unlike all other data-returning API endpoints, it does not call auth.UserFromApiCall or checkDashboardAccess. When AuthRequireGuestsToLogin is enabled (the security-conscious configuration), this endpoint remains accessible to unauthenticated users and can be used as an oracle to enumerate valid action binding IDs and their argument configurations. This issue has been fixed in version 3000.13.0.

CWE	CWE-862
Vendor	olivetin
Product	olivetin
Published	Jun 15, 2026

Stay Ahead of the Next One

Get instant alerts for olivetin olivetin

Be the first to know when new low vulnerabilities affecting olivetin olivetin are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected Versions

OliveTin / OliveTin

< 3000.13.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/OliveTin/OliveTin/security/advisories/GHSA-f637-w7p2-m7fx github.com: https://github.com/OliveTin/OliveTin/releases/tag/3000.13.0