HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-48708Published Modified CNA GitHub_M

CVE-2026-48708: OliveTin has a Concurrent Template Parsing Race Condition which Leads to Cross-Request Command Contamination

OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, the template engine uses a single shared text/template.Template instance (tpl package-level variable in service/internal/tpl/templates.go) across all goroutines. Every action execution calls tpl.Parse(source) followed by t.Execute() on this shared instance with no synchronization. When two or more actions execute concurrently (which is the normal case — each ExecRequest spawns a goroutine), a race condition occurs: one goroutine's Parse overwrites the template tree while another goroutine is calling Execute, causing cross-user command contamination, Go runtime panic, and incorrect command execution. This issue has been resolved in version 3000.13.0.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A concurrent template-parsing race condition in OliveTin (versions up to and including 3000.0.0) allows one authenticated user's goroutine to overwrite a shared template while another goroutine is executing it. The attack is reachable over the network, requires a low-privilege account, and needs no victim interaction. Successful exploitation causes cross-user command contamination (one user's shell command is injected into another user's execution context), Go runtime panics, and incorrect command execution. No patched image rebuild is currently available on HarborGuard, as no upstream fix version has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-48708 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle OliveTin. Any image carrying an affected OliveTin version is flagged in the relevant registry or pipeline scan.

Available
Triage

Triage capability is available with the CVSS v3.1 base score of 7.5 (HIGH), weighted further by each customer organization's compliance policy configuration. Findings are routed to the appropriate team inbox within the customer org based on policy-defined severity thresholds and image ownership.

Available
Patch

Because no upstream fix version has been published for CVE-2026-48708, no patched-image rebuild is available yet. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched rebuild available automatically the moment an upstream fix is released.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable OliveTin web interface must be reachable over the network; the attacker sends concurrent action-execution requests to trigger the race condition remotely.

  • AuthenticationRequired

    A low-privilege account is sufficient; the attacker needs only the level of access required to trigger action executions through the OliveTin web interface.

  • Victim interactionNot required

    No victim interaction is needed; the race condition is triggered purely by the attacker sending concurrent requests without any user having to click or approve anything.

  • Attack complexityDetail

    Attack complexity is high because the exploit depends on a timing race between concurrent goroutines, requiring the attacker to reliably overlap a Parse call from one goroutine with an Execute call from another.

Blast Radius

  • One user's shell command is substituted into another user's execution context, causing unintended commands to run under the wrong user's session.
  • The Go runtime panics when the shared template tree is corrupted mid-execution, crashing the OliveTin service and denying access to all users.
  • An attacker can read the templated command output intended for another user, exposing sensitive data carried in those command results.
  • An attacker can cause arbitrary predefined shell commands to execute out of order or with wrong parameters, modifying system state beyond what the attacker's own permissions would normally allow.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-48708, automated patched-image rebuilds are not yet possible. In the meantime, HarborGuard monitors the advisory on every ingest cycle and will trigger a rebuild and, for customers with auto-remediation enabled, open a patch PR against affected workloads the moment an upstream fix version is released. While awaiting the patch, consider the following compensating controls: apply network-policy isolation to restrict which internal services and users can reach the OliveTin interface; use egress filtering to limit the blast radius of any cross-user command execution; and where operationally feasible, gate high-risk OliveTin actions behind a feature flag or access-control layer to reduce concurrency exposure. HarborGuard will surface the advisory status update automatically so no manual re-scan is required.

See how HarborGuard automates this
Affected packages
  • OliveTin / OliveTin
    < 3000.13.0
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
References