CVE-2026-48708 - OliveTin template race command contamination
OliveTin before 3000.13.0 reused a single package-level Go
text/template.Template instance across concurrent action executions. Each
request reparsed attacker-influenced template source into the shared object and
then executed it without synchronization, allowing one request to overwrite the
template tree another request was about to execute.
That creates three real outcomes: cross-request command contamination, unsafe command/argument mismatches, and full process termination from concurrent map writes inside Go’s template internals.
When to use it
- A repository deploys, vendors, forks, packages, or configures OliveTin before
3000.13.0. - OliveTin actions render request arguments into shell, webhook, or post-completion templates under concurrent execution.
- Local forks or helper code use shared mutable
text/templatestate in command-rendering paths. - You need a bounded PR or triage note that upgrades OliveTin and proves per-request template isolation.
Inputs
- Go manifests, lock data, package/image manifests, deployment manifests, OliveTin action config, SBOMs, generated reports, forks, and plugins.
- Command-rendering paths, template helper code, action execution entrypoints, and concurrency behavior.
- Safe test action fixtures, non-destructive command substitutes, and available tests, build, image build, deployment render, SBOM, and dependency scans.
Affected versions
| Package | Vulnerable versions | Fixed versions |
|---|---|---|
github.com/OliveTin/OliveTin |
<3000.13.0 |
3000.13.0 |
Note: the GitHub Advisory Database also expresses the patched Go module as the
pseudo-version 0.0.0-20260521225117-d74da9314005. The vendor release
evidence maps that fix to OliveTin 3000.13.0.
Indicator-of-exposure
- The repository deploys or vendors OliveTin
<3000.13.0. - OliveTin actions use templated
shell,shellAfterCompleted, webhook, or other action content that renders request arguments into commands. - The runtime permits concurrent action execution, which is OliveTin’s normal execution model.
- A local fork or patch still keeps a shared package-level template instance in
service/internal/tpl/templates.goor equivalent code.
Quick checks:
rg -n "OliveTin|ghcr.io/olivetin|docker.io/jamesread/olivetin|3000\." .
rg -n "template.New\\(\"tpl\"\\)|ParseTemplateWithActionContext|parseTemplate|ExecRequest" .
Windows:
rg -n "OliveTin|ghcr.io/olivetin|docker.io/jamesread/olivetin|3000\." .
rg -n "template.New\\(\"tpl\"\\)|ParseTemplateWithActionContext|parseTemplate|ExecRequest" .
Remediation strategy
- Upgrade OliveTin to
3000.13.0+. - Remove any shared mutable template instance from the execution path; parse templates per request or clone immutable state before execution.
- Add concurrency regression tests that run multiple action executions in parallel and prove templates cannot cross-contaminate or crash the process.
- Review nearby command-rendering paths for other package-level mutable state, because the primary risk is unsafe shared execution context.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
You are remediating CVE-2026-48708 / GHSA-7fq5-7wr8-rjwj in OliveTin. A shared
`text/template.Template` instance is reparsed and executed concurrently, which
can mix one request's command template into another request's execution path or
crash the process. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades OliveTin, removes the shared
mutable template hazard, adds concurrency regression coverage, and documents
operator validation, or
- TRIAGE.md if this repository does not control an affected OliveTin runtime.
## Rules
- Scope only CVE-2026-48708 and directly related command-rendering hardening.
- Do not fire destructive shell commands or race live production actions to
prove exploitability.
- Treat action definitions, rendered commands, API keys, bearer tokens,
webhook payloads, and execution logs as sensitive.
- Prefer per-request template construction or safe cloning over adding a broad
mutex around unsafe shared state unless the codebase clearly requires that
tradeoff.
- Do not auto-merge.
## Steps
1. Inventory every OliveTin package, image, binary, manifest, and deployment
controlled by this repository.
2. Confirm whether any runtime resolves `<3000.13.0`.
3. Trace the template-rendering path from action execution entrypoints through
command construction to confirm whether a shared mutable template object is
present.
4. Identify custom forks, plugins, or adjacent command-rendering helpers that
copied the same shared-template pattern.
5. If the repository does not control the affected runtime, stop with
`TRIAGE.md` naming the owning team, vulnerable version, and required fixed
version `3000.13.0+`.
6. Upgrade to `3000.13.0+` and refresh lockfiles, containers, manifests, SBOMs,
and deployment documentation.
7. If local code still renders templates, refactor so each render uses isolated
template state and cannot mutate another request's execution context.
8. Add regression tests that execute multiple actions in parallel and assert:
- no cross-request template contamination;
- no process crash or concurrent map write;
- expected rendered command text per request.
9. Add a PR body section named `CVE-2026-48708 operator actions` covering:
- versions before and after;
- whether the fix came from upstream `3000.13.0+` or a local patch;
- what concurrency tests or stress checks passed;
- any command-rendering paths reviewed beyond the primary sink;
- any operator rollback or restart requirements.
10. Run available validation: tests, build, image build, deployment render, and
dependency/security scans.
11. Use PR title:
`fix(sec): isolate OliveTin template execution state`.
## Stop conditions
- No affected OliveTin runtime is controlled by this repository.
- The repository only references OliveTin operationally and cannot patch or
redeploy it.
- Verification would require racing real high-impact actions in a shared
environment.
- Local forks diverge from upstream enough that maintainers must approve the
concurrency design change first; capture that in `TRIAGE.md`.
Verification - what the reviewer looks for
- No controlled OliveTin deployment resolves
<3000.13.0. - No execution path reparses attacker-influenced templates into shared package-level mutable state.
- Parallel regression tests prove one request cannot influence another request’s rendered command text.
- Operator notes identify the fixed image or binary version actually deployed.
Output contract
- Reviewer-ready PR upgrading OliveTin to
3000.13.0+or patching owned forks to eliminate shared mutable template execution state. - Parallel regression tests proving no cross-request command contamination, process crash, or concurrent map write occurs.
- Operator notes for fixed binary/image version, command-rendering paths reviewed, restart/rollback needs, and validation commands.
TRIAGE.mdwhen this repository does not control the affected runtime or the local fork needs maintainer approval before design changes.
Watch for
- Upgrading the container tag while a vendored fork or downstream patch keeps the old shared-template helper.
- Guarding one template function with a mutex while other command-rendering paths still reuse shared mutable template state.
- Test coverage that only validates single-threaded execution and misses the concurrent contamination path.
Related recipes
- CVE-2026-49143 browserstack-runner log handler RCE
- Source code supply-chain build integrity audit
- CVE intelligence intake gate
References
- GitHub Advisory: https://github.com/advisories/GHSA-7fq5-7wr8-rjwj
- Vendor advisory: https://github.com/OliveTin/OliveTin/security/advisories/GHSA-7fq5-7wr8-rjwj
- CVE Record: https://www.cve.org/CVERecord?id=CVE-2026-48708
- Release evidence: https://github.com/OliveTin/OliveTin/releases/tag/3000.13.0
- Patch: https://github.com/OliveTin/OliveTin/commit/d74da9314005