Nixpkgs security tracker

Untriaged

Permalink CVE-2026-30233

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): NONE

created 1 month, 2 weeks ago Activity log

Created suggestion 1 month, 2 weeks ago

OliveTin: View permission not being checked when returning dashboards

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution (exec) may be correctly denied, the backend does not enforce IsAllowedView() when constructing dashboard and action binding responses. As a result, restricted users can retrieve action titles, IDs, icons, and argument metadata. This issue has been patched in version 3000.11.1.

References

https://github.com/OliveTin/OliveTin/security/advisories/GHSA-jf73-858c-54pg x_refsource_CONFIRM
https://github.com/OliveTin/OliveTin/commit/d7962710e7c46f6bdda4188b5b0cdbde4be665a0 x_refsource_MISC
https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1 x_refsource_MISC

Affected products

OliveTin

==< 3000.11.1

Matching in nixpkgs

pkgs.olivetin

Gives safe and simple access to predefined shell commands from a web interface

nixos-unstable 2025.11.25
- nixpkgs-unstable 2025.11.25
- nixos-unstable-small 2025.11.25
nixos-25.11 2025.11.25
- nixos-25.11-small 2025.11.25
- nixpkgs-25.11-darwin 2025.11.25

Package maintainers

@Defelo Defelo

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.olivetin

Package maintainers