CVE-2026-31817

CVE-2026-31817 is a path traversal vulnerability (CWE-22) affecting OliveTin, an open-source web interface for executing predefined shell commands, in versions prior to 3000.11.2. When the saveLogs feature is enabled, OliveTin writes execution log entries to disk using a filename partially constructed from the user-supplied UniqueTrackingId field in the StartAction API request. This field lacks validation or sanitization, enabling attackers to inject directory traversal sequences such as "../../../" to direct log files to arbitrary filesystem locations.

The vulnerability has a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L), indicating exploitation over the network with low complexity by low-privileged authenticated users and no user interaction required. Successful exploitation allows attackers to write files to arbitrary paths on the server filesystem, potentially enabling persistence, configuration overwrites, or further compromise depending on write permissions and locations targeted, with high integrity impact, changed scope, low availability impact, and no confidentiality impact.

The OliveTin security advisory at https://github.com/OliveTin/OliveTin/security/advisories/GHSA-364q-w7vh-vhpc confirms the issue and states it is fixed in version 3000.11.2 by addressing the lack of sanitization in the UniqueTrackingId handling. Security practitioners should upgrade to 3000.11.2 or later and disable saveLogs if not needed, while reviewing access controls on the StartAction API endpoint.