CVE-2026-27626
Published: 25 February 2026
Description
OliveTin gives access to predefined shell commands from a web interface. In versions up to and including 3000.10.0, OliveTin's shell mode safety check (`checkShellArgumentSafety`) blocks several dangerous argument types but not `password`. A user supplying a `password`-typed argument can inject…
more
shell metacharacters that execute arbitrary OS commands. A second independent vector allows unauthenticated RCE via webhook-extracted JSON values that skip type safety checks entirely before reaching `sh -c`. When exploiting vector 1, any authenticated user (registration enabled by default, `authType: none` by default) can execute arbitrary OS commands on the OliveTin host with the permissions of the OliveTin process. When exploiting vector 2, an unauthenticated attacker can achieve the same if the instance receives webhooks from external sources, which is a primary OliveTin use case. When an attacker exploits both vectors, this results in unauthenticated RCE on any OliveTin instance using Shell mode with webhook-triggered actions. As of time of publication, a patched version is not available.
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of inputs such as password-typed arguments and webhook-extracted JSON values to block shell metacharacters before passing to sh -c execution.
Requires restricting or prohibiting unnecessary shell mode and webhook functionality, eliminating the primary vectors for command injection.
Ensures timely monitoring for and application of flaw remediation patches for known vulnerabilities like this OS command injection in OliveTin.
Security SummaryAI
CVE-2026-27626 is an OS command injection vulnerability (CWE-78) in OliveTin, a web interface for executing predefined shell commands, affecting versions up to and including 3000.10.0. The flaw stems from two independent vectors in shell mode. The first involves the `checkShellArgumentSafety` function, which blocks several dangerous argument types but fails to sanitize `password`-typed arguments, allowing injection of shell metacharacters. The second vector bypasses type safety checks entirely when processing JSON values extracted from unauthenticated webhooks before they reach `sh -c` execution.
Any authenticated user—who can register by default or access instances with `authType: none` enabled by default—can exploit the first vector to execute arbitrary OS commands on the OliveTin host with the process's permissions. The second vector enables unauthenticated remote code execution (RCE) if the instance receives webhooks from external sources, a common OliveTin configuration. Combining both vectors allows unauthenticated RCE on any OliveTin instance using shell mode with webhook-triggered actions. The vulnerability carries a CVSS v3.1 score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
The primary advisory, published on GitHub at https://github.com/OliveTin/OliveTin/security/advisories/GHSA-49gm-hh7w-wfvf, details the vectors but notes that no patched version was available as of the CVE publication date on 2026-02-25. Security practitioners should monitor for updates from the OliveTin project and consider disabling shell mode, webhooks, or default registration until mitigation is released.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-27626 enables unauthenticated/authenticated RCE via OS command injection in a web interface using 'sh -c', directly facilitating T1190 (public-facing app exploitation) and T1059.004 (Unix Shell execution).