NIXPKGS-2026-0545

GitHub issue published on 7 Mar 2026

Permalink CVE-2026-30233

updated 18 hours ago by @mweinelt Activity log

Created automatic suggestion 1 day, 7 hours ago
@mweinelt accepted 18 hours ago
@mweinelt published on GitHub 18 hours ago

OliveTin: View permission not being checked when returning dashboards

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution (exec) may be correctly denied, the backend does not enforce IsAllowedView() when constructing dashboard and action binding responses. As a result, restricted users can retrieve action titles, IDs, icons, and argument metadata. This issue has been patched in version 3000.11.1.

References

https://github.com/OliveTin/OliveTin/security/advisories/GHSA-jf73-858c-54pg x_refsource_CONFIRM
https://github.com/OliveTin/OliveTin/commit/d7962710e7c46f6bdda4188b5b0cdbde4be665a0 x_refsource_MISC
https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1 x_refsource_MISC

Affected products

OliveTin

==< 3000.11.1

Matching in nixpkgs

pkgs.olivetin

Gives safe and simple access to predefined shell commands from a web interface

nixos-unstable 2025.11.25
- nixpkgs-unstable 2025.11.25
- nixos-unstable-small 2025.11.25
nixos-25.11 2025.11.25
- nixos-25.11-small 2025.11.25
- nixpkgs-25.11-darwin 2025.11.25

Package maintainers

@Defelo Defelo

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0545

References

Affected products

Matching in nixpkgs

pkgs.olivetin

Package maintainers