GHSA-228V-WC5R-J8M7

Vulnerability from github – Published: 2026-03-12 14:20 – Updated: 2026-03-12 14:21
VLAI?
Summary
OliveTin Vulnerable to Unauthorized Action Output Disclosure via EventStream
Details

Summary

OliveTin’s live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing per-action authorization. A low-privileged authenticated user can receive output from actions they are not allowed to view, resulting in broken access control and sensitive information disclosure. I validated this on OliveTin 3000.10.2.

Details

The issue is in the live event streaming path.

EventStream() only checks whether the caller may access the dashboard, then registers the user as a stream subscriber:

  • service/internal/api/api.go:776

After subscription, execution events are broadcast to all connected clients without checking whether each recipient is authorized to view logs for the action:

  • service/internal/api/api.go:846 OnExecutionStarted
  • service/internal/api/api.go:869 OnExecutionFinished
  • service/internal/api/api.go:1047 OnOutputChunk

The event payload includes action output through:

  • service/internal/api/api.go:295 internalLogEntryToPb
  • service/internal/api/api.go:302 Output

By contrast, the normal log APIs do apply per-action authorization checks:

  • service/internal/api/api.go:518 GetLogs
  • service/internal/api/api.go:585 GetActionLogs
  • service/internal/api/api.go:544 isLogEntryAllowed

Root cause:

  • the subscription path enforces only coarse dashboard access
  • execution callbacks broadcast to every connected client
  • no per-recipient ACL check is applied before sending action metadata or output

I validated the issue using:

  • an admin user with full ACLs
  • an alice user with no ACLs
  • a protected action that outputs TOPSECRET=alpha-bravo-charlie

Despite having no relevant ACLs, alice still receives the ExecutionFinished event for the privileged action, including the protected output.

PoC

Tested version:

  - 3000.10.2
  1. Fetch and check out 3000.10.2 in a clean worktree:
  git -C OliveTin fetch origin tag 3000.10.2
  git -C OliveTin worktree add /home/kali/CVE/OliveTin-3000.10.2 3000.10.2
  1. Copy the PoC test into the clean tree:
  cp OliveTin/service/internal/api/event_stream_leak_test.go \
    OliveTin-3000.10.2/service/internal/api/
  1. Run the targeted PoC test:
  cd OliveTin-3000.10.2/service
  go test ./internal/api -run TestEventStreamLeaksUnauthorizedExecutionOutput -count=1 -timeout 30s -v
  1. Optional: save validation output:
  go test ./internal/api -run TestEventStreamLeaksUnauthorizedExecutionOutput -count=1 -timeout 30s -v \
    2>&1 | tee /tmp/olivetin_eventstream_3000.10.2.log

Observed validation output:

  === RUN   TestEventStreamLeaksUnauthorizedExecutionOutput
  time="2026-03-01T04:44:59-05:00" level=info msg="Action requested" actionTitle=secret-action tags="[]"
  time="2026-03-01T04:44:59-05:00" level=info msg="Action parse args - Before" actionTitle=secret-action cmd="echo 'TOPSECRET=alpha-bravo-charlie'"
  time="2026-03-01T04:44:59-05:00" level=info msg="Action parse args - After" actionTitle=secret-action cmd="echo 'TOPSECRET=alpha-bravo-charlie'"
  time="2026-03-01T04:44:59-05:00" level=info msg="Action started" actionTitle=secret-action timeout=1
  time="2026-03-01T04:44:59-05:00" level=info msg="Action finished" actionTitle=secret-action exit=0 outputLength=30 timedOut=false
  --- PASS: TestEventStreamLeaksUnauthorizedExecutionOutput (0.00s)
  PASS
  ok      github.com/OliveTin/OliveTin/internal/api       0.025s

What this proves:

  • admin can execute the protected action
  • alice has no ACLs
  • alice still receives the streamed completion event for the protected action
  • protected action output is exposed through the event stream

Impact

This is an authenticated broken access control / information disclosure vulnerability.

A low-privileged authenticated user can subscribe to EventStream and receive:

  • action execution metadata
  • execution tracking IDs
  • initiating username
  • live output chunks
  • final command output

Who is impacted:

  • multi-user OliveTin deployments
  • environments where privileged actions produce secrets, tokens, internal system details, or other sensitive operational output
  • deployments where lower-privileged authenticated users can access the dashboard and subscribe to live events

This bypasses intended per-action log/view restrictions for protected actions.

Severity ?
7.1 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/OliveTin/OliveTin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3000.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32102"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-12T14:20:16Z",
    "nvd_published_at": "2026-03-11T21:16:16Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\n  OliveTin\u2019s live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing per-action authorization. A low-privileged authenticated user can receive output from actions they are\n  not allowed to view, resulting in broken access control and sensitive information disclosure. I validated this on OliveTin 3000.10.2.\n\n\n\n\n### Details\nThe issue is in the live event streaming path.\n\n  EventStream() only checks whether the caller may access the dashboard, then registers the user as a stream subscriber:\n\n  - service/internal/api/api.go:776\n\n  After subscription, execution events are broadcast to all connected clients without checking whether each recipient is authorized to view logs for the action:\n\n  - service/internal/api/api.go:846 OnExecutionStarted\n  - service/internal/api/api.go:869 OnExecutionFinished\n  - service/internal/api/api.go:1047 OnOutputChunk\n\n  The event payload includes action output through:\n\n  - service/internal/api/api.go:295 internalLogEntryToPb\n  - service/internal/api/api.go:302 Output\n\n  By contrast, the normal log APIs do apply per-action authorization checks:\n\n  - service/internal/api/api.go:518 GetLogs\n  - service/internal/api/api.go:585 GetActionLogs\n  - service/internal/api/api.go:544 isLogEntryAllowed\n\n  Root cause:\n\n  - the subscription path enforces only coarse dashboard access\n  - execution callbacks broadcast to every connected client\n  - no per-recipient ACL check is applied before sending action metadata or output\n\n  I validated the issue using:\n\n  - an admin user with full ACLs\n  - an alice user with no ACLs\n  - a protected action that outputs TOPSECRET=alpha-bravo-charlie\n\n  Despite having no relevant ACLs, alice still receives the ExecutionFinished event for the privileged action, including the protected output.\n\n\n\n### PoC\nTested version:\n```\n  - 3000.10.2\n```\n  1. Fetch and check out 3000.10.2 in a clean worktree:\n```bash\n  git -C OliveTin fetch origin tag 3000.10.2\n  git -C OliveTin worktree add /home/kali/CVE/OliveTin-3000.10.2 3000.10.2\n```\n  2. Copy the PoC test into the clean tree:\n```bash\n  cp OliveTin/service/internal/api/event_stream_leak_test.go \\\n    OliveTin-3000.10.2/service/internal/api/\n```\n  3. Run the targeted PoC test:\n```bash\n  cd OliveTin-3000.10.2/service\n  go test ./internal/api -run TestEventStreamLeaksUnauthorizedExecutionOutput -count=1 -timeout 30s -v\n```\n  4. Optional: save validation output:\n```bash\n  go test ./internal/api -run TestEventStreamLeaksUnauthorizedExecutionOutput -count=1 -timeout 30s -v \\\n    2\u003e\u00261 | tee /tmp/olivetin_eventstream_3000.10.2.log\n```\n  Observed validation output:\n```bash\n  === RUN   TestEventStreamLeaksUnauthorizedExecutionOutput\n  time=\"2026-03-01T04:44:59-05:00\" level=info msg=\"Action requested\" actionTitle=secret-action tags=\"[]\"\n  time=\"2026-03-01T04:44:59-05:00\" level=info msg=\"Action parse args - Before\" actionTitle=secret-action cmd=\"echo \u0027TOPSECRET=alpha-bravo-charlie\u0027\"\n  time=\"2026-03-01T04:44:59-05:00\" level=info msg=\"Action parse args - After\" actionTitle=secret-action cmd=\"echo \u0027TOPSECRET=alpha-bravo-charlie\u0027\"\n  time=\"2026-03-01T04:44:59-05:00\" level=info msg=\"Action started\" actionTitle=secret-action timeout=1\n  time=\"2026-03-01T04:44:59-05:00\" level=info msg=\"Action finished\" actionTitle=secret-action exit=0 outputLength=30 timedOut=false\n  --- PASS: TestEventStreamLeaksUnauthorizedExecutionOutput (0.00s)\n  PASS\n  ok      github.com/OliveTin/OliveTin/internal/api       0.025s\n```\n  What this proves:\n\n  - admin can execute the protected action\n  - alice has no ACLs\n  - alice still receives the streamed completion event for the protected action\n  - protected action output is exposed through the event stream\n\n\n### Impact\n  This is an authenticated broken access control / information disclosure vulnerability.\n\n  A low-privileged authenticated user can subscribe to EventStream and receive:\n\n  - action execution metadata\n  - execution tracking IDs\n  - initiating username\n  - live output chunks\n  - final command output\n\n  Who is impacted:\n\n  - multi-user OliveTin deployments\n  - environments where privileged actions produce secrets, tokens, internal system details, or other sensitive operational output\n  - deployments where lower-privileged authenticated users can access the dashboard and subscribe to live events\n\n  This bypasses intended per-action log/view restrictions for protected actions.",
  "id": "GHSA-228v-wc5r-j8m7",
  "modified": "2026-03-12T14:21:00Z",
  "published": "2026-03-12T14:20:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-228v-wc5r-j8m7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32102"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OliveTin/OliveTin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OliveTin Vulnerable to Unauthorized Action Output Disclosure via EventStream"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.