CVE-2026-48709: OliveTin: ValidateArgumentType API Endpoint's Missing Authentication Allows Action and Argument Enumeration

June 24, 2026

The ValidateArgumentType RPC endpoint in service/internal/api/api.go does not perform any authentication or authorization checks. Unlike all other data-returning API endpoints, it does not call auth.UserFromApiCall or checkDashboardAccess. When AuthRequireGuestsToLogin is enabled (the security-conscious configuration), this endpoint remains accessible to unauthenticated users and can be used as an oracle to enumerate valid action binding IDs and their argument configurations.

References

github.com/OliveTin/OliveTin/commit/a3865704c854061452a4ab5f6d95de3312698ccd
github.com/OliveTin/OliveTin/releases/tag/3000.13.0
github.com/OliveTin/OliveTin/security/advisories/GHSA-f637-w7p2-m7fx
github.com/advisories/GHSA-f637-w7p2-m7fx
nvd.nist.gov/vuln/detail/CVE-2026-48709

Code Behaviors & Features

Detect and mitigate CVE-2026-48709 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →