{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28789", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T14:25:19.244Z", "datePublished": "2026-03-05T19:33:46.924Z", "dateUpdated": "2026-03-06T18:01:38.094Z"}, "containers": {"cna": {"title": "OliveTin: Unauthenticated DoS via concurrent map writes in OAuth2 state handling", "problemTypes": [{"descriptions": [{"cweId": "CWE-362", "lang": "en", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-662", "lang": "en", "description": "CWE-662: Improper Synchronization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9"}, {"name": "https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c22d36", "tags": ["x_refsource_MISC"], "url": "https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c22d36"}], "affected": [{"vendor": "OliveTin", "product": "OliveTin", "versions": [{"version": "< 3000.10.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T19:33:46.924Z"}, "descriptions": [{"lang": "en", "value": "OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin\u2019s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3."}], "source": {"advisory": "GHSA-45m3-398w-m2m9", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T18:01:34.546987Z", "id": "CVE-2026-28789", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T18:01:38.094Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28789", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T18:01:34.546987Z"}}}], "references": [{"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T18:01:27.656Z"}}], "cna": {"title": "OliveTin: Unauthenticated DoS via concurrent map writes in OAuth2 state handling", "source": {"advisory": "GHSA-45m3-398w-m2m9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "OliveTin", "product": "OliveTin", "versions": [{"status": "affected", "version": "< 3000.10.3"}]}], "references": [{"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9", "name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c22d36", "name": "https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c22d36", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin\u2019s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-662", "description": "CWE-662: Improper Synchronization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T19:33:46.924Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28789", "state": "PUBLISHED", "dateUpdated": "2026-03-06T18:01:38.094Z", "dateReserved": "2026-03-03T14:25:19.244Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-05T19:33:46.924Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:olivetin:olivetin:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B4582D9-169E-40D5-8E85-A2C591F413A9", "versionEndIncluding": "3000.10.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin\u2019s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3."}, {"lang": "es", "value": "OliveTin proporciona acceso a comandos de shell predefinidos desde una interfaz web. Antes de la versi\u00f3n 3000.10.3, existe una vulnerabilidad de denegaci\u00f3n de servicio no autenticada en el flujo de inicio de sesi\u00f3n OAuth2 de OliveTin. Las solicitudes concurrentes a /oauth/login pueden desencadenar un acceso no sincronizado a un mapa registeredStates compartido, causando un p\u00e1nico en tiempo de ejecuci\u00f3n de Go (error fatal: escrituras concurrentes en el mapa) y la terminaci\u00f3n del proceso. Esto permite a los atacantes remotos bloquear el servicio cuando OAuth2 est\u00e1 habilitado. Este problema ha sido parcheado en la versi\u00f3n 3000.10.3."}], "id": "CVE-2026-28789", "lastModified": "2026-03-10T15:42:11.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-05T20:16:16.653", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c22d36"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}, {"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-662"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3000.10.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "OliveTin", "source": "cna", "vendor": "OliveTin"}, "product": "olivetin", "vendor": "olivetin"}], "created": "2026-03-06T15:01:14.875493+00:00", "updated": "2026-03-06T15:01:14.875567+00:00", "vendors": ["olivetin", "olivetin$PRODUCT$olivetin"]}