OliveTin EventStream Unauthorized Output Disclosure Vulnerability

A vulnerability in OliveTin versions through 3000.10.2 allows low-privileged authenticated users to access unauthorized output from shell commands executed by other users. This issue arises because the application’s live EventStream broadcasts execution results and action outputs to all authenticated dashboard subscribers without proper authorization checks. As a result, sensitive information may be inadvertently disclosed, leading to broken access control.

Impact

Exploitation of this vulnerability allows low-privileged authenticated users to receive unauthorized execution output from privileged actions, including sensitive information such as secrets or internal system details. This bypasses intended access controls and could lead to unauthorized disclosure of operationally sensitive data.

Reproduction

The vulnerability can be reproduced by subscribing to the EventStream as a low-privileged authenticated user. Once subscribed, the EventStream will broadcast execution events and output from actions that the user is not authorized to view. This can be validated by executing a protected action that outputs sensitive information, such as a secret, and observing that the unauthorized user still receives the output through the EventStream.