{"uuid": "efb85a04-5986-4288-af5e-a4b0588f9cdb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-f637-w7p2-m7fx", "type": "seen", "source": "https://gist.github.com/alon710/1366cab1be37fd922161593dd6bd5218", "content": "# CVE-2026-48709: CVE-2026-48709: Missing Authorization in OliveTin ValidateArgumentType RPC Endpoint\n\n> **CVSS Score:** 3.7\n> **Published:** 2026-06-24\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48709\n\n## Summary\nA missing authorization vulnerability in the OliveTin system allows unauthenticated remote actors to query the ValidateArgumentType RPC endpoint. By exploiting this flaw, attackers can execute systematic brute-force and side-channel validation attacks to enumerate active action binding IDs, parameter structures, and operational metadata, bypassing configured guest authentication barriers.\n\n## TL;DR\nOliveTin prior to version 3000.13.0 exposes its ValidateArgumentType API endpoint to unauthenticated guest users. Remote attackers can leverage this missing access control to execute oracle-style enumeration attacks, mapping out administrative action binding IDs and parameter requirements.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-862\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1**: 3.7\n- **EPSS Score**: 0.00269\n- **Impact**: Low (Information Disclosure / Reconnaissance)\n- **Exploit Status**: Proof of Concept (PoC) documented\n- **KEV Status**: Not listed in CISA KEV\n\n## Affected Systems\n\n- OliveTin (All versions prior to 3000.13.0)\n- **OliveTin**: < 3000.13.0 (Fixed in: `3000.13.0`)\n\n## Mitigation\n\n- Upgrade OliveTin to version 3000.13.0 or later\n- Deploy a reverse proxy (Nginx/Caddy) to block access to the ValidateArgumentType RPC endpoints\n- Use high-entropy, randomized action titles to prevent brute-forcing of binding IDs\n\n**Remediation Steps:**\n1. Step 1: Identify all running OliveTin containers or binary instances in the environment.\n2. Step 2: Update the deployment configurations (Docker Compose, systemd) to reference version 3000.13.0 or higher.\n3. Step 3: If upgrade is delayed, add a location block in the reverse proxy configuration to return 403 for /api/ValidateArgumentType.\n4. Step 4: Audit existing action titles and rewrite highly predictable names using high-entropy suffixes.\n\n## References\n\n- [GHSA-f637-w7p2-m7fx: OliveTin Missing Authorization in ValidateArgumentType](https://github.com/OliveTin/OliveTin/security/advisories/GHSA-f637-w7p2-m7fx)\n- [NVD - CVE-2026-48709 Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-48709)\n- [OliveTin GitHub Project Page](https://github.com/OliveTin/OliveTin)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48709) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-24T19:04:03.129966Z"}