CVE-2026-48709 is a low-severity missing authorization vulnerability in github.com/OliveTin/OliveTin (go), affecting versions < 0.0.0-20260521230847-a3865704c854. It is fixed in 0.0.0-20260521230847-a3865704c854.
Summary The ValidateArgumentType RPC endpoint in service/internal/api/api.go does not perform any authentication or authorization checks. Unlike all other data-returning API endpoints, it does not call auth.UserFromApiCall or checkDashboardAccess. When AuthRequireGuestsToLogin is enabled (the security-conscious configuration), this endpoint remains accessible to unauthenticated users and can be used as an oracle to enumerate valid action binding IDs and their argument configurations. Details Root Cause The ValidateArgumentType handler at service/internal/api/api.go:726 has no authentication check: Compare this with adjacent endpoints that DO have auth checks: Oracle Behavior The endpoint provides different responses based on whether the binding and argument exist: Valid binding + valid argument: Returns {valid: true/false, description: "..."} (200 OK) Valid binding + invalid argument: Returns CodeNotFound error Invalid binding: Returns CodeNotFound error While the error messages for the last two cases are identical, an attacker who knows a valid binding ID (or can guess one from action title SHA256) can enumerate argument names by observing which ones return 200 OK vs CodeNotFound. Binding ID Predictability Binding IDs are SHA256 hashes of action titles (see service/internal/executor/executoractions.go). Since action titles are typically short, human-readable strings (e.g., "Ping", "Restart Service", "Deploy"), an attacker can precompute hashes of likely titles and test them against this endpoint. Scope This finding is only meaningful when AuthRequireGuestsToLogin: true is configured. In the default configuration where guests have full dashboard access, the action information is already visible through the dashboard API. When AuthRequireGuestsToLogin is true, checkDashboardAccess blocks guest access to other endpoints but NOT to ValidateArgumentType. PoC Prerequisites OliveTin instance with AuthRequireGuestsToLogin: true configured Step 1: Verify other endpoints require auth Confirm that regular endpoints reject unauthenticated requests: Step 2: Enumerate binding IDs via ValidateArgumentType Test candidate binding IDs (SHA256 of guessed action titles): Step 3: Enumerate argument names for a known binding Once a valid binding ID is known, brute-force argument names: Impact Information Disclosure: Unauthenticated users can enumerate which actions exist (by testing binding IDs) and which arguments each action accepts (by testing argument names). This reveals the server configuration to unauthorized parties. Reconnaissance for Further Attacks: The enumerated information (action names, argument names, argument types) provides valuable reconnaissance for more targeted attacks such as the ot prefix argument injection (see advisory 001) or social engineering. Limited Scope: This is only exploitable when AuthRequireGuestsToLogin: true is configured. In the default configuration, guests already have full access to the dashboard which exposes the same information. Recommended Fix Add authentication and dashboard access checks to the ValidateArgumentType handler, consistent with all other data-returning endpoints:
The application does not perform an authorization check before performing a sensitive operation. Typical impact: unauthorized access to restricted functionality or data.
CVE-2026-48709 has a CVSS score of 3.7 (Low). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (0.0.0-20260521230847-a3865704c854). Upgrading removes the vulnerable code path.
go
github.com/OliveTin/OliveTin (< 0.0.0-20260521230847-a3865704c854)github.com/OliveTin/OliveTin → 0.0.0-20260521230847-a3865704c854 (go)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-48709 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-48709 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-48709 in your environment →Upgrade github.com/OliveTin/OliveTin to 0.0.0-20260521230847-a3865704c854 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-48709 is a low-severity missing authorization vulnerability in github.com/OliveTin/OliveTin (go), affecting versions < 0.0.0-20260521230847-a3865704c854. It is fixed in 0.0.0-20260521230847-a3865704c854. The application does not perform an authorization check before performing a sensitive operation.
CVE-2026-48709 has a CVSS score of 3.7 (Low). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
github.com/OliveTin/OliveTin (go) versions < 0.0.0-20260521230847-a3865704c854 is affected.
Yes. CVE-2026-48709 is fixed in 0.0.0-20260521230847-a3865704c854. Upgrade to this version or later.
Whether CVE-2026-48709 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade github.com/OliveTin/OliveTin to 0.0.0-20260521230847-a3865704c854 or later.