OliveTin Unauthenticated Access Control Vulnerability in KillAction RPC Allowing Denial-of-Service

A broken access control vulnerability has been identified in OliveTin versions prior to 3000.11.0. This issue allows unauthenticated guests to terminate running actions through the KillAction RPC, even when the authRequireGuestsToLogin setting is enabled. While guests are correctly blocked from accessing the dashboard, they can still invoke KillAction directly, disrupting active tasks. This vulnerability creates an unauthorized denial-of-service condition by allowing guests to interfere with legitimate action executions.

Impact

Exploitation of this vulnerability leads to unauthorized termination of actions, causing disruption in workflows and interference with tasks that require privileged access.

Reproduction

The vulnerability can be reproduced by configuring OliveTin to require guests to log in, then starting a long-running action as an authenticated user. Afterward, an unauthenticated guest can call the KillAction RPC to terminate the action, bypassing the login requirement.

Remediation

Users can upgrade to OliveTin version 3000.11.0 or later, where this vulnerability has been patched.