CVE-2026-53541

MEDIUMPre-NVD 4.34.3
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 4.3 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
4.3
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: CVSS: 4.3Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

OliveTin has Unvalidated ot_-prefixed Arguments that Bypass Input Filtering

Description

The filterToDefinedArgumentsOnly function in the executor is intended to discard any arguments not explicitly defined in the action's configuration. However, a special case allows any argument whose name starts with ot_ to bypass this filter. While two system arguments (ot_executionTrackingId and ot_username) are injected by OliveTin and overridden, all other ot_-prefixed arguments supplied by the user pass through unmodified.

These bypassed arguments are:

  • Not type-checked — the validation loop only iterates over the action's defined arguments, so ot_-prefixed arguments skip all type safety checks entirely.
  • Set as environment variables — via buildEnv(), with completely unvalidated values, and passed to the executed command.
  • Included in the template context — available as .Arguments.ot_* in template rendering.

Affected Code

Filter bypass — service/internal/executor/executor.go (lines 728–731):

func keepArgument(name string, definedNames map[string]struct{}) bool {
    _, ok := definedNames[name]
    return ok || strings.HasPrefix(name, "ot_")
}

System args only override two keys — service/internal/executor/executor.go (lines 742–745):

func injectSystemArgs(req *ExecutionRequest) {
    req.Arguments["ot_executionTrackingId"] = req.TrackingID
    req.Arguments["ot_username"] = req.AuthenticatedUser.Username
}

Any other ot_-prefixed argument (e.g., ot_malicious) survives both functions.

Unvalidated values become environment variables — service/internal/executor/executor.go (lines 867–882):

func buildEnv(args map[string]string) []string {
    ret := append(os.Environ(), "OLIVETIN=1")
    for k, v := range args {
        varName := fmt.Sprintf("%v", strings.TrimSpace(strings.ToUpper(k)))
        if varName == "" { continue }
        ret = append(ret, fmt.Sprintf("%v=%v", varName, v))
    }
    return ret
}

The value v is never validated. It can contain newlines, shell metacharacters, null bytes, or any arbitrary data.

Proof of Concept

An attacker sends a StartAction request with extra ot_-prefixed arguments:

{
  "bindingId": "",
  "arguments": [
    { "name": "ot_custom_var", "value": "arbitrary unvalidated content \n with newlines" },
    { "name": "ot_another",    "value": "$(whoami)" }
  ]
}

These arguments:

  • Pass through filterToDefinedArgumentsOnly (the ot_ prefix exempts them).
  • Are never type-checked (not in the action's argument definitions).
  • Become environment variables OT_CUSTOM_VAR and OT_ANOTHER in the executed command's environment.
  • Are available in the template rendering context as .Arguments.ot_custom_var and .Arguments.ot_another.

Impact

  • Environment variable pollution — attacker can set arbitrary environment variables (with OT_ uppercased prefix) in the execution environment of any action they can trigger. Scripts or programs that read custom environment variables could be influenced.
  • Potential for secondary exploitation — if any executed script or command reads OT_-prefixed environment variables, the unvalidated content could cause unexpected behavior.
  • Template context pollution — although Go's text/template does not recursively evaluate data values (mitigating direct template injection), the extra arguments are accessible in the template context and could interact unexpectedly with custom template logic.

Suggested Fix

Remove the ot_ prefix exception from keepArgument, or restrict it to only the two known system arguments:

var systemArgs = map[string]struct{}{
    "ot_executionTrackingId": {},
    "ot_username":            {},
}

func keepArgument(name string, definedNames map[string]struct{}) bool { _, isDefined := definedNames[name] _, isSystem := systemArgs[name] return isDefined || isSystem }


Discovery Methodology

Both vulnerabilities were identified through manual source code review of the OliveTin repository, focusing on:

  • Input validation boundaries (API request fields flowing into file system operations and execution contexts)
  • Argument filtering and type-checking logic in the executor
  • File path construction in the log persistence feature

No automated scanners or fuzzing tools were used. The review was conducted against the current main branch source code.


CVSS v3
4.3
EG Score
4.3(low)
EPSS
KEV
Not listed

Published

June 24, 2026

Last Modified

June 24, 2026

Vendor Advisories for CVE-2026-53541(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 7× in last 7d / 12× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-06 14:19 UTCEG score recompute
  2. 2026-07-05 12:28 UTCEG score recompute
  3. 2026-07-04 10:32 UTCEG score recompute
  4. 2026-07-03 08:42 UTCEG score recompute
  5. 2026-07-02 06:52 UTCEG score recompute
  6. 2026-07-01 05:03 UTCEG score recompute
  7. 2026-06-30 03:14 UTCEG score recompute
  8. 2026-06-29 01:26 UTCEG score recompute
  9. 2026-06-27 23:37 UTCEG score recompute
  10. 2026-06-26 21:48 UTCEG score recompute
  11. 2026-06-25 19:51 UTCEG score recompute
  12. 2026-06-24 18:02 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-53541?
CVE-2026-53541 is a medium vulnerability published on June 24, 2026. OliveTin has Unvalidated ot_-prefixed Arguments that Bypass Input Filtering Description The filterToDefinedArgumentsOnly function in the executor is intended to discard any arguments not explicitly defined in the action's configuration. However, a special case allows any argument whose name starts…
When was CVE-2026-53541 disclosed?
CVE-2026-53541 was first published in the National Vulnerability Database on June 24, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-53541?
CVE-2026-53541 has a CVSS v4.0 base score of 4.3 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-53541?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-53541, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-53541

Explore →

Is Your Infrastructure Affected by CVE-2026-53541?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.