OliveTin

v3000.13.0 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 13d Automation & Workflows

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

api container homeautomation linux maturity-prod self-hosted

+2 more

service sysadmin

Affected surfaces

rce_ssrf

ReleasePort's take

Light signal

editorial:auto 12d

Version 3000.13.0 introduces API Key (bearer) authentication and addresses several security concerns including command contamination from shared template instances and argument enumeration via validation endpoints.

Why it matters: Patch immediately to mitigate command‑contamination and argument‑enumeration risks; evaluate the new bearer‑token auth for system hardening.

Summary

AI summary

Updates Container images, Others, and Bug fixes across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Shared template instances could cause command contamination Shared template instances could cause command contamination Source: llm_adapter@2026-05-22 Confidence: low	—
Security	Medium	Validation endpoints allow argument enumeration Validation endpoints allow argument enumeration Source: llm_adapter@2026-05-22 Confidence: low	—
Feature	Medium	API Key (bearer) auth added API Key (bearer) auth added Source: llm_adapter@2026-05-22 Confidence: high	—
Performance	Medium	No performance improvements or regressions noted in changelog. No performance improvements or regressions noted in changelog. Source: llm_adapter@2026-05-22 Confidence: low	—
Bugfix	Medium	Entities view shows a nicer view when there are 0 entities Entities view shows a nicer view when there are 0 entities Source: llm_adapter@2026-05-22 Confidence: low	—

Full changelog

Changelog

Security

d74da9314005954dd49fa20dabf272247bc76519 security: GHSA-7fq5-7wr8-rjwj (HIGH) Shared template instances could cause command contamination
a3865704c854061452a4ab5f6d95de3312698ccd security: GHSA-f637-w7p2-m7fx (LOW) Validation endpoints allow argument enumeration

Features

246e33d565aafc4bdec01e3541c2cd87de787d19 feat: API Key (bearer) auth
75b958183501f9f42d8a962f1c53462e4d10b04a feat: API Key (bearer) auth (#1032)

Bug fixes

d4ca9c073aaf932e846f1be1586abe94f5aa154d fix: Entities view shows a nicer view when there are 0 entities
53359a9960664a9ebbf25e2806c4d73f4be399cc fix: Entities view shows a nicer view when there are 0 entities (#1031)

Others

437255e24705ca8b7a639c7cd9dd42d84501fd1d Merge commit from fork
9ea01bbd0b22826ebe82dbc22b1dc01ec1e039cc Merge commit from fork
8bf52fbea38212e269cbe82f596616b8625a562b Next (#1033)

Container images (from GitHub)

docker pull ghcr.io/olivetin/olivetin:3000.13.0

Container images (on Docker Hub)

docker pull docker.io/jamesread/olivetin:3000.13.0

Upgrade warnings, or breaking changes

No such issues between the last release and this version.

Useful links

Thanks for your interest in OliveTin!

Security Fixes

GHSA-7fq5-7wr8-rjwj (HIGH) — Shared template instances could cause command contamination
GHSA-f637-w7p2-m7fx (LOW) — Validation endpoints allow argument enumeration

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track OliveTin

Get notified when new releases ship.

About OliveTin

OliveTin gives safe and simple access to predefined shell commands from a web interface.

All releases →