CVE-2026-27626: OliveTin: OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks

February 25, 2026 (updated February 27, 2026)

OliveTin’s shell mode safety check (checkShellArgumentSafety) blocks several dangerous argument types but not password. A user supplying a password-typed argument can inject shell metacharacters that execute arbitrary OS commands. A second independent vector allows unauthenticated RCE via webhook-extracted JSON values that skip type safety checks entirely before reaching sh -c.

References

github.com/OliveTin/OliveTin
github.com/OliveTin/OliveTin/commit/4bbd2eab153287dc744ad061c58af7693f0c3ddc
github.com/OliveTin/OliveTin/security/advisories/GHSA-49gm-hh7w-wfvf
github.com/advisories/GHSA-49gm-hh7w-wfvf
nvd.nist.gov/vuln/detail/CVE-2026-27626
pkg.go.dev/vuln/GO-2026-4547

Code Behaviors & Features

Detect and mitigate CVE-2026-27626 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →