https://vulnerability.circl.lu/sightings/feed 2026-06-25T20:42:43.615701+00:00 Vulnerability-Lookup info@circl.lu python-feedgen Contains only the most 10 recent sightings. https://vulnerability.circl.lu/sighting/cd8be0af-a6ff-42c3-a67b-af9d1f1f68e1/export 2026-06-25T20:42:43.636498+00:00 Joseph Lee https://cve.circl.lu/user/syspect {"uuid": "cd8be0af-a6ff-42c3-a67b-af9d1f1f68e1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-48709", "type": "published-proof-of-concept", "source": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-f637-w7p2-m7fx", "content": "", "creation_timestamp": "2026-06-24T18:35:05.246942Z"} 2026-06-24T18:35:05.246942+00:00 https://vulnerability.circl.lu/sighting/258998c1-54ba-4029-bb11-c6cda285967b/export 2026-06-25T20:42:43.636190+00:00 Automation user https://cve.circl.lu/user/automation {"uuid": "258998c1-54ba-4029-bb11-c6cda285967b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48709", "type": "seen", "source": "https://gist.github.com/alon710/f2b2f51072808beda8e52a43b0bdd064", "content": "# CVE-2026-48709: CVE-2026-48709: Missing Authorization in OliveTin ValidateArgumentType RPC Endpoint\n\n> **CVSS Score:** 3.7\n> **Published:** 2026-06-24\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48709\n\n## Summary\nA missing authorization vulnerability in the OliveTin system allows unauthenticated remote actors to query the ValidateArgumentType RPC endpoint. By exploiting this flaw, attackers can execute systematic brute-force and side-channel validation attacks to enumerate active action binding IDs, parameter structures, and operational metadata, bypassing configured guest authentication barriers.\n\n## TL;DR\nOliveTin prior to version 3000.13.0 exposes its ValidateArgumentType API endpoint to unauthenticated guest users. Remote attackers can leverage this missing access control to execute oracle-style enumeration attacks, mapping out administrative action binding IDs and parameter requirements.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-862\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1**: 3.7\n- **EPSS Score**: 0.00269\n- **Impact**: Low (Information Disclosure / Reconnaissance)\n- **Exploit Status**: Proof of Concept (PoC) documented\n- **KEV Status**: Not listed in CISA KEV\n\n## Affected Systems\n\n- OliveTin (All versions prior to 3000.13.0)\n- **OliveTin**: < 3000.13.0 (Fixed in: `3000.13.0`)\n\n## Mitigation\n\n- Upgrade OliveTin to version 3000.13.0 or later\n- Deploy a reverse proxy (Nginx/Caddy) to block access to the ValidateArgumentType RPC endpoints\n- Use high-entropy, randomized action titles to prevent brute-forcing of binding IDs\n\n**Remediation Steps:**\n1. Step 1: Identify all running OliveTin containers or binary instances in the environment.\n2. Step 2: Update the deployment configurations (Docker Compose, systemd) to reference version 3000.13.0 or higher.\n3. Step 3: If upgrade is delayed, add a location block in the reverse proxy configuration to return 403 for /api/ValidateArgumentType.\n4. Step 4: Audit existing action titles and rewrite highly predictable names using high-entropy suffixes.\n\n## References\n\n- [GHSA-f637-w7p2-m7fx: OliveTin Missing Authorization in ValidateArgumentType](https://github.com/OliveTin/OliveTin/security/advisories/GHSA-f637-w7p2-m7fx)\n- [NVD - CVE-2026-48709 Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-48709)\n- [OliveTin GitHub Project Page](https://github.com/OliveTin/OliveTin)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48709) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-24T18:43:21.864665Z"} 2026-06-24T18:43:21.864665+00:00 https://vulnerability.circl.lu/sighting/a2146757-f5ab-430e-bd03-70b0f1bac47c/export 2026-06-25T20:42:43.633656+00:00 Automation user https://cve.circl.lu/user/automation {"uuid": "a2146757-f5ab-430e-bd03-70b0f1bac47c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48709", "type": "seen", "source": "https://gist.github.com/alon710/1366cab1be37fd922161593dd6bd5218", "content": "# CVE-2026-48709: CVE-2026-48709: Missing Authorization in OliveTin ValidateArgumentType RPC Endpoint\n\n> **CVSS Score:** 3.7\n> **Published:** 2026-06-24\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48709\n\n## Summary\nA missing authorization vulnerability in the OliveTin system allows unauthenticated remote actors to query the ValidateArgumentType RPC endpoint. By exploiting this flaw, attackers can execute systematic brute-force and side-channel validation attacks to enumerate active action binding IDs, parameter structures, and operational metadata, bypassing configured guest authentication barriers.\n\n## TL;DR\nOliveTin prior to version 3000.13.0 exposes its ValidateArgumentType API endpoint to unauthenticated guest users. Remote attackers can leverage this missing access control to execute oracle-style enumeration attacks, mapping out administrative action binding IDs and parameter requirements.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-862\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1**: 3.7\n- **EPSS Score**: 0.00269\n- **Impact**: Low (Information Disclosure / Reconnaissance)\n- **Exploit Status**: Proof of Concept (PoC) documented\n- **KEV Status**: Not listed in CISA KEV\n\n## Affected Systems\n\n- OliveTin (All versions prior to 3000.13.0)\n- **OliveTin**: < 3000.13.0 (Fixed in: `3000.13.0`)\n\n## Mitigation\n\n- Upgrade OliveTin to version 3000.13.0 or later\n- Deploy a reverse proxy (Nginx/Caddy) to block access to the ValidateArgumentType RPC endpoints\n- Use high-entropy, randomized action titles to prevent brute-forcing of binding IDs\n\n**Remediation Steps:**\n1. Step 1: Identify all running OliveTin containers or binary instances in the environment.\n2. Step 2: Update the deployment configurations (Docker Compose, systemd) to reference version 3000.13.0 or higher.\n3. Step 3: If upgrade is delayed, add a location block in the reverse proxy configuration to return 403 for /api/ValidateArgumentType.\n4. Step 4: Audit existing action titles and rewrite highly predictable names using high-entropy suffixes.\n\n## References\n\n- [GHSA-f637-w7p2-m7fx: OliveTin Missing Authorization in ValidateArgumentType](https://github.com/OliveTin/OliveTin/security/advisories/GHSA-f637-w7p2-m7fx)\n- [NVD - CVE-2026-48709 Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-48709)\n- [OliveTin GitHub Project Page](https://github.com/OliveTin/OliveTin)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48709) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-24T19:04:03.100639Z"} 2026-06-24T19:04:03.100639+00:00