{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32102", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T22:02:38.854Z", "datePublished": "2026-03-11T20:05:16.164Z", "dateUpdated": "2026-03-12T19:47:37.664Z"}, "containers": {"cna": {"title": "OliveTin Unauthorized Action Output Disclosure via EventStream", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-228v-wc5r-j8m7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-228v-wc5r-j8m7"}], "affected": [{"vendor": "OliveTin", "product": "OliveTin", "versions": [{"version": "< 3000.10.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T20:05:16.164Z"}, "descriptions": [{"lang": "en", "value": "OliveTin gives access to predefined shell commands from a web interface. In 3000.10.2 and earlier, OliveTin\u2019s live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing per-action authorization. A low-privileged authenticated user can receive output from actions they are not allowed to view, resulting in broken access control and sensitive information disclosure."}], "source": {"advisory": "GHSA-228v-wc5r-j8m7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T19:47:31.122427Z", "id": "CVE-2026-32102", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:47:37.664Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32102", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T19:47:31.122427Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:47:34.884Z"}}], "cna": {"title": "OliveTin Unauthorized Action Output Disclosure via EventStream", "source": {"advisory": "GHSA-228v-wc5r-j8m7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "OliveTin", "product": "OliveTin", "versions": [{"status": "affected", "version": "< 3000.10.2"}]}], "references": [{"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-228v-wc5r-j8m7", "name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-228v-wc5r-j8m7", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "OliveTin gives access to predefined shell commands from a web interface. In 3000.10.2 and earlier, OliveTin\u2019s live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing per-action authorization. A low-privileged authenticated user can receive output from actions they are not allowed to view, resulting in broken access control and sensitive information disclosure."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T20:05:16.164Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32102", "state": "PUBLISHED", "dateUpdated": "2026-03-12T19:47:37.664Z", "dateReserved": "2026-03-10T22:02:38.854Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T20:05:16.164Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:olivetin:olivetin:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B4582D9-169E-40D5-8E85-A2C591F413A9", "versionEndIncluding": "3000.10.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OliveTin gives access to predefined shell commands from a web interface. In 3000.10.2 and earlier, OliveTin\u2019s live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing per-action authorization. A low-privileged authenticated user can receive output from actions they are not allowed to view, resulting in broken access control and sensitive information disclosure."}, {"lang": "es", "value": "OliveTin da acceso a comandos de shell predefinidos desde una interfaz web. En 3000.10.2 y anteriores, el EventStream en vivo de OliveTin transmite eventos de ejecuci\u00f3n y la salida de acciones a suscriptores autenticados del panel de control sin aplicar autorizaci\u00f3n por acci\u00f3n. Un usuario autenticado con bajos privilegios puede recibir la salida de acciones que no tiene permitido ver, lo que resulta en un control de acceso roto y revelaci\u00f3n de informaci\u00f3n sensible."}], "id": "CVE-2026-32102", "lastModified": "2026-03-17T15:34:48.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-11T21:16:16.167", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-228v-wc5r-j8m7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3000.10.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "OliveTin", "source": "cna", "vendor": "OliveTin"}, "product": "olivetin", "vendor": "olivetin"}], "analysis": {"en": {"generated_at": "2026-03-17T17:07:26.662911+00:00", "value": {"mitigation_remediation": ["Upgrade OliveTin to version 3000.10.3 or later, where the EventStream authorization has been fixed.", "If an upgrade is delayed, reconfigure or disable the EventStream feature so that only authorized users receive command output.", "Verify that the dashboard\u2019s per\u2011action authorization settings correctly restrict output visibility for each authenticated user."], "summary": {"action": "Patch Immediately", "impact": "Sensitive Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects OliveTin 3000.10.2 and earlier. All deployments of OliveTin that use the default EventStream setting and have multiple authenticated users are potentially impacted. The CNA identifies OliveTin:OliveTin as the affected vendor/product.", "description_and_impact": "OliveTin\u2019s EventStream feature broadcasts execution events and action output to all authenticated dashboard subscribers without enforcing per-action authorization. This flaw allows a low\u2011privileged authenticated user to receive the output of commands they are not permitted to view, leading to sensitive information disclosure. The weakness corresponds to CWE\u2011284 (Improper Authorization) and CWE\u2011863 (Missing Authorization for a Mechanism).", "risk_and_exploitability": "The CVSS score is 7.1, indicating a high severity. The EPSS score is below 1%, suggesting a low probability of exploitation in the near term, and the vulnerability is not listed in CISA\u2019s KEV catalog. However, because the exploit requires only normal authentication to the dashboard, an attacker who gains such credentials can easily obtain unauthorized command output. The overall risk is moderate-high for environments with sensitive data handled by OliveTin commands."}}}}, "created": "2026-03-12T09:56:16.902697+00:00", "updated": "2026-03-20T15:37:22.715508+00:00", "vendors": ["olivetin", "olivetin$PRODUCT$olivetin"]}