Platform
go
Component
github.com/olivetin/olivetin
Fixed in
3000.11.3
0.0.0-20260309102040-b03af0e2eca3
CVE-2026-31817 describes a high-severity vulnerability in OliveTin, a Go application. This vulnerability stems from the application's unsafe parsing of the UniqueTrackingId, enabling an attacker to write arbitrary files. The vulnerability impacts versions of OliveTin prior to 0.0.0-20260309102040-b03af0e2eca3. A patch has been released to address this issue.
The core of the vulnerability lies in OliveTin's handling of the UniqueTrackingId. An attacker can craft a malicious UniqueTrackingId that, when processed by the application, results in a file write operation to an unintended location. This could allow an attacker to overwrite critical configuration files, binaries, or even inject malicious code into the system. The potential impact is significant, ranging from denial of service to complete system compromise, depending on the files successfully overwritten and the attacker's subsequent actions. Successful exploitation could lead to persistent backdoors or the exfiltration of sensitive data.
CVE-2026-31817 was publicly disclosed on 2026-03-12. There is currently no indication of active exploitation in the wild. The vulnerability is not listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet available, but the vulnerability's nature suggests that development of such exploits is likely.
Exploit Status
EPSS
0.26% (49% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-31817 is to immediately upgrade OliveTin to version 0.0.0-20260309102040-b03af0e2eca3 or later. If upgrading is not immediately feasible, consider implementing input validation on the UniqueTrackingId to prevent the injection of malicious characters. While not a complete solution, this can reduce the attack surface. Monitor system logs for unusual file write activity, particularly in sensitive directories. Consider using a Web Application Firewall (WAF) to filter requests containing potentially malicious UniqueTrackingId values, although this may impact legitimate functionality.
Update OliveTin to version 3000.11.2 or higher. This version fixes the directory traversal vulnerability by validating and sanitizing the UniqueTrackingId field before using it in the log file path construction.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-31817 is a high-severity vulnerability in OliveTin that allows attackers to write arbitrary files due to unsafe parsing of the UniqueTrackingId, potentially leading to system compromise.
You are affected if you are using OliveTin versions prior to 0.0.0-20260309102040-b03af0e2eca3. Assess your deployments immediately.
Upgrade OliveTin to version 0.0.0-20260309102040-b03af0e2eca3 or later. Implement input validation on the UniqueTrackingId as a temporary mitigation.
There is currently no indication of active exploitation in the wild, but the vulnerability's nature suggests that exploitation is possible.
Refer to the OliveTin project's official communication channels and repositories for the latest advisory and security updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.