OliveTin, Path Traversal, CVE-2026-31817 (High)

Listen to this Post

CVE-2026-31817 details a high-severity path traversal vulnerability in OliveTin, a web interface for running predefined shell commands. The flaw resides in the `StartAction` API endpoint when the `saveLogs` feature is enabled. In this mode, OliveTin logs every action execution to disk. The filename for these logs is dynamically generated using the user-supplied `UniqueTrackingId` parameter from the API request. Due to a lack of input validation and sanitization, an attacker can inject directory traversal sequences (e.g., ../../../) into this parameter. When the application constructs the file path, it fails to neutralize these sequences, allowing the attacker to break out of the intended log directory. Consequently, the attacker can write log entries to arbitrary locations on the file system with the privileges of the OliveTin process. This can lead to the overwriting of critical system files, the planting of malicious scripts (like a web shell in a web root), or other actions that compromise system integrity. The vulnerability is present in all versions prior to 3000.11.2 and is fixed in that release.

dailycve form:

Platform: OliveTin
Version: < 3000.11.2
Vulnerability : Path Traversal
Severity: High (CVSS:8.5)
date: 2026-03-10

Prediction: Patched in 3000.11.2

What Undercode Say:

Analytics:

The vulnerability stems from unsafe concatenation of user input into file paths. By analyzing the `StartAction` API request structure, an attacker can identify the `UniqueTrackingId` parameter. A successful attack requires the `saveLogs` feature to be enabled (default configuration unknown). The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L) indicates a network-based attack with low complexity, requiring low privileges, and has a high impact on integrity. The following command demonstrates how an attacker might probe for the vulnerability using `curl` to cause a log write to an observable location like /tmp:

curl -X POST http://target:1337/api/StartAction \
-H "Content-Type: application/json" \
-d '{"actionId": "some_command", "uniqueTrackingId": "../../../tmp/pwned"}'

Exploit:

An attacker crafts a malicious `StartAction` API request. The `uniqueTrackingId` contains path traversal sequences pointing to a sensitive location. The application writes the log entry there. For example, to write a log file to the web root (if known) to potentially execute later:

Hypothetical exploitation
curl -X POST http://victim:1337/api/StartAction \
-H "Content-Type: application/json" \
-d '{"actionId": "ls", "uniqueTrackingId": "../../../var/www/html/shell.php"}'

If the web server has write permissions in that directory, and the log content contains user-controllable data (like command output), this could result in code execution.

Protection from this CVE:

Immediate protection is achieved by updating to OliveTin version `3000.11.2` or later. As a temporary workaround, administrators can disable the `saveLogs` feature if it is not essential, preventing the file write operation entirely. Input validation must be implemented to sanitize the UniqueTrackingId, stripping out path traversal sequences (e.g., ../, ..\\) before using it in filesystem operations. Using a secure coding practice, such as generating a random UUID for the log filename server-side instead of trusting user input, is the recommended long-term fix.

Update command (example for Linux using curl)
curl -s https://api.github.com/repos/OliveTin/OliveTin/releases/latest | grep "browser_download_url.linux_amd64" | cut -d : -f 2,3 | wget -qi -
Or use package manager if available
sudo apt update && sudo apt install olivetin=3000.11.2

Impact:

Successful exploitation allows an attacker to write files anywhere on the target filesystem that the OliveTin process has write access to. This can lead to:
1. Data Integrity Loss: Overwriting critical system files (e.g., /etc/passwd, configuration files) to disrupt services or alter system behavior.
2. Privilege Escalation: If the OliveTin process runs with elevated privileges, writing to sensitive directories could lead to full system compromise.
3. Remote Code Execution: By writing a malicious script (e.g., PHP, JSP) into a web server’s document root and then accessing it via a browser, an attacker can execute arbitrary commands on the server.
4. Denial of Service: Filling up the disk or crashing the application by writing to invalid locations.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top