CVE-2026-27626

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-27626
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27626.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-27626
Aliases
Downstream
Related
Published
2026-02-25T02:43:08.189Z
Modified
2026-03-14T12:47:53.955903Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
OliveTin vulnerable to OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks
Details

OliveTin gives access to predefined shell commands from a web interface. In versions up to and including 3000.10.0, OliveTin's shell mode safety check (checkShellArgumentSafety) blocks several dangerous argument types but not password. A user supplying a password-typed argument can inject shell metacharacters that execute arbitrary OS commands. A second independent vector allows unauthenticated RCE via webhook-extracted JSON values that skip type safety checks entirely before reaching sh -c. When exploiting vector 1, any authenticated user (registration enabled by default, authType: none by default) can execute arbitrary OS commands on the OliveTin host with the permissions of the OliveTin process. When exploiting vector 2, an unauthenticated attacker can achieve the same if the instance receives webhooks from external sources, which is a primary OliveTin use case. When an attacker exploits both vectors, this results in unauthenticated RCE on any OliveTin instance using Shell mode with webhook-triggered actions. As of time of publication, a patched version is not available.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27626.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-78"
    ]
}
References

Affected packages

Git / github.com/olivetin/olivetin

Affected ranges

Type
GIT
Repo
https://github.com/olivetin/olivetin
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
d22bdebff7c7fd54508d12758d5f8cf3f8bf7ac3
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3000.10.0"
        }
    ]
}

Affected versions

2021-05-19.*
2021-05-19.28
2021-05-24.*
2021-05-24.f44
Other
2021-05-25
2021-05-28
2021-07-16
2021-07-19
2021-11-17
2021-11-17-2
2021-11-19
2022-01-06
2022-04-07
2022-10-19
2021-11-02.*
2021-11-02.alpha1-task-arguments
2022.*
2022.11.11
2022.11.14
2023.*
2023.02.16
2023.03.22
2023.03.24
2023.03.24-2
2023.03.24-3
2023.03.24-4
2023.03.25
2023.10.09
2023.10.12
2023.10.24
2023.10.25
2023.12.1
2023.12.17
2023.12.20
2023.12.21
2024.*
2024.02.01
2024.02.27
2024.02.28
2024.03.01
2024.03.05
2024.03.06
2024.03.08
2024.03.081
2024.03.24
2024.04.021
2024.04.09
2024.04.11
2024.04.14
2024.04.18
2024.04.20
2024.04.26
2024.04.261
2024.04.28
2024.05.13
2024.05.24
2024.05.27
2024.05.31
2024.05.51
2024.06.01
2024.06.02
2024.06.04
2024.07.03
2024.07.06
2024.07.07
2024.07.13
2024.07.15
2024.07.152
2024.07.153
2024.07.16
2024.08.14
2024.08.25
2024.08.31
2024.09.02
2024.09.10
2024.09.11
2024.09.16
2024.10.01
2024.10.02
2024.10.14
2024.10.17
2024.10.18
2024.10.26
2024.10.27
2024.11.02
2024.11.09
2024.11.18
2024.11.24
2024.12.11
2025.*
2025.2.19
2025.2.21
2025.3.23
2025.3.28
2025.4.14
2025.4.21
2025.4.22
2025.4.8
2025.5.26
2025.6.1
2025.6.22
2025.6.6
2025.7.13
2025.7.19
2025.7.28
2025.7.29
3000.*
3000.0.0
3000.0.1
3000.0.2
3000.1.0
3000.1.1
3000.1.2
3000.10.0
3000.2.0
3000.2.1
3000.3.0
3000.3.1
3000.3.2
3000.4.0
3000.5.0
3000.6.0
3000.7.0
3000.8.0
3000.9.0
3000.9.0-beta.1
3000.9.0-beta.2
3000.9.0-beta.3
3000.9.1
3000.9.2
3000.9.3
3000.9.4

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27626.json"