Remote Code Execution in OliveTin Web Interface
CVE-2026-27626

10CRITICAL

Key Information:

Vendor: Olivetin
Status: Olivetin
Vendor: CVE Published:; 25 February 2026

What is CVE-2026-27626?

OliveTin, a web interface tool, has a significant vulnerability due to improper handling of shell commands. Up to version 3000.10.0, the safety check 'checkShellArgumentSafety' fails to properly filter 'password' argument types. This oversight allows authenticated users to inject harmful shell metacharacters, executing arbitrary OS commands. Furthermore, an independent flaw enables unauthenticated remote code execution (RCE) via JSON values extracted from webhooks, completely bypassing type safety checks before the commands reach 'sh -c'. If both vulnerabilities are exploited, attackers can gain unrestricted access to any OliveTin instance utilizing Shell mode with webhook actions. As of the latest information, no patch has been released for this security issue.

Affected Version(s)

OliveTin <= 3000.10.0

References

https://github.com/OliveTin/OliveTin/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 25, 2026
Vulnerability Reserved
Feb 20, 2026

CVE-2026-27626 Data

JSON

Olivetin

What is CVE-2026-27626?

Affected Version(s)

References

CVSS V3.1

Timeline