CVE-2026-30233: OliveTin doesn't check view permission when returning dashboards
(updated )
An authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints.
Although execution (exec) may be correctly denied, the backend does not enforce IsAllowedView() when constructing dashboard and action binding responses. As a result, restricted users can retrieve action titles, IDs, icons, and argument metadata.
References
- github.com/OliveTin/OliveTin
- github.com/OliveTin/OliveTin/commit/d7962710e7c46f6bdda4188b5b0cdbde4be665a0
- github.com/OliveTin/OliveTin/releases/tag/3000.11.1
- github.com/OliveTin/OliveTin/security/advisories/GHSA-jf73-858c-54pg
- github.com/advisories/GHSA-jf73-858c-54pg
- nvd.nist.gov/vuln/detail/CVE-2026-30233
Code Behaviors & Features
Detect and mitigate CVE-2026-30233 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →