Description
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.2, the PasswordHash API endpoint allows unauthenticated users to trigger excessive memory allocation by sending concurrent password hashing requests. By issuing multiple parallel requests, an attacker can exhaust available container memory, leading to service degradation or complete denial of service (DoS). The issue occurs because the endpoint performs computationally and memory-intensive hashing operations without request throttling, authentication requirements, or resource limits. This issue has been patched in version 3000.10.2.
Published: 2026-03-05
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

OliveTin’s PasswordHash API endpoint permits unauthenticated users to trigger excessive memory allocation by submitting a large number of parallel requests. The endpoint performs computationally heavy hash operations without any form of authentication enforcement, throttling, or resource limits, allowing an attacker to deplete available container memory and degrade or halt the web service. This results in a loss of availability and can disrupt any applications relying on OliveTin. The weakness aligns with CWE‑400 (Uncontrolled Resource Consumption) and CWE‑770 (Memory Leak).

Affected Systems

OliveTin products prior to version 3000.10.2 are affected. The vulnerability exists in all builds that expose the PasswordHash endpoint without authentication controls. Users running OliveTin containers on any platform are at risk until they apply the 3000.10.2 update or later. The vendor’s advisory notes that the issue was fixed in the 3000.10.2 release, so only installations older than that are vulnerable.

Risk and Exploitability

The reported CVSS score of 7.5 indicates a moderate‑to‑high risk, while the EPSS score of less than 1% shows a low probability of exploitation for average attackers. Because the attack requires only remote HTTP requests and no credentials, it is considered a remote, unauthenticated attack. The vulnerability is not listed in CISA’s KEV catalog, suggesting no confirmed active exploits at the time of analysis. Nonetheless, the attack path—sending a burst of legitimate API requests—can be automated and executed from any accessible network endpoint, making mitigation through patching and rate‑limiting essential.

Generated by OpenCVE AI on April 16, 2026 at 12:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OliveTin to version 3000.10.2 or later to remove the problematic code path.
  • If an upgrade is not immediately possible, restrict network access to the PasswordHash endpoint using firewall rules or network segmentation to limit exposure.
  • Implement application‑level throttling or request‑rate limits on the PasswordHash API to prevent excessive concurrent calls from exhausting memory.

Generated by OpenCVE AI on April 16, 2026 at 12:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pc8g-78pf-4xrp OliveTin has Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint
History

Tue, 10 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:olivetin:olivetin:*:*:*:*:*:*:*:*

Fri, 06 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Olivetin
Olivetin olivetin
Vendors & Products Olivetin
Olivetin olivetin

Thu, 05 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.2, the PasswordHash API endpoint allows unauthenticated users to trigger excessive memory allocation by sending concurrent password hashing requests. By issuing multiple parallel requests, an attacker can exhaust available container memory, leading to service degradation or complete denial of service (DoS). The issue occurs because the endpoint performs computationally and memory-intensive hashing operations without request throttling, authentication requirements, or resource limits. This issue has been patched in version 3000.10.2.
Title OliveTin: Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint
Weaknesses CWE-400
CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Olivetin Olivetin
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T18:02:40.848Z

Reserved: 2026-02-26T18:38:13.889Z

Link: CVE-2026-28342

cve-icon Vulnrichment

Updated: 2026-03-06T18:02:28.622Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T20:16:15.837

Modified: 2026-03-10T15:43:24.330

Link: CVE-2026-28342

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:15:35Z

Weaknesses