CVE-2026-31817
Published: 10 March 2026
Summary
CVE-2026-31817 is a high-severity Path Traversal (CWE-22) vulnerability in Olivetin Olivetin. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31817 is a path traversal vulnerability (CWE-22) affecting OliveTin, an open-source web interface for executing predefined shell commands, in versions prior to 3000.11.2. When the saveLogs feature is enabled, OliveTin writes execution log entries to disk using a filename partially constructed from the user-supplied UniqueTrackingId field in the StartAction API request. This field lacks validation or sanitization, enabling attackers to inject directory traversal sequences such as "../../../" to direct log files to arbitrary filesystem locations.
The vulnerability has a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L), indicating exploitation over the network with low complexity by low-privileged authenticated users and no user interaction required. Successful exploitation allows attackers to write files to arbitrary paths on the server filesystem, potentially enabling persistence, configuration overwrites, or further compromise depending on write permissions and locations targeted, with high integrity impact, changed scope, low availability impact, and no confidentiality impact.
The OliveTin security advisory at https://github.com/OliveTin/OliveTin/security/advisories/GHSA-364q-w7vh-vhpc confirms the issue and states it is fixed in version 3000.11.2 by addressing the lack of sanitization in the UniqueTrackingId handling. Security practitioners should upgrade to 3000.11.2 or later and disable saveLogs if not needed, while reviewing access controls on the StartAction API endpoint.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10910
Vulnerability details
OliveTin gives access to predefined shell commands from a web interface. Prior to 3000.11.2, when the saveLogs feature is enabled, OliveTin persists execution log entries to disk. The filename used for these log files is constructed in part from the…
more
user-supplied UniqueTrackingId field in the StartAction API request. This value is not validated or sanitized before being used in a file path, allowing an attacker to use directory traversal sequences (e.g., ../../../) to write files to arbitrary locations on the filesystem. This vulnerability is fixed in 3000.11.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal vulnerability in the web-based OliveTin interface allows low-privileged remote attackers to overwrite arbitrary files via the network-accessible StartAction API, directly enabling exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the user-supplied UniqueTrackingId to block directory traversal sequences in log file path construction.
Remediates the specific path traversal flaw by identifying, reporting, and applying the vendor fix in version 3000.11.2.
Restricts or disables the unnecessary saveLogs feature to eliminate the vulnerable log writing mechanism entirely.