CVE-2026-28789 - Vulnerability Details

- OliveTin: Unauthenticated DoS via concurrent map writes in OAuth2 state handling

Description

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin’s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3.

Published: 2026-03-05

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

OliveTin allows execution of predetermined shell commands via a web interface. In versions prior to 3000.10.3, the OAuth2 login flow contains an unguarded concurrent write to a shared states map. Multiple simultaneous requests to the /oauth/login endpoint can trigger a Go runtime panic, terminating the process. The flaw is exploitable without authentication, allowing remote attackers to crash the service whenever OAuth2 is enabled.

Affected Systems

OliveTin software versions earlier than 3000.10.3 are affected. The vulnerability is tied to the OAuth2 authentication mechanism within the OliveTin application.

Risk and Exploitability

The CVSS score is 7.5, indicating a high impact denial‑of‑service vulnerability. EPSS is below 1 %, suggesting a low probability of exploitation in the wild, and the issue is not listed in the CISA KEV catalog. The likely attack vector is remote, unauthenticated HTTP requests targeting the /oauth/login endpoint. Exploitation requires the ability to send concurrent requests; no special privileges or network access are needed beyond reaching the OliveTin service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

OliveTin

affected

Version	Status	Constraints
`< 3000.10.3`	affected	—

Configuration 1 [-]

cpe:2.3:a:olivetin:olivetin:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Olivetin

100%

Version	Status	Scheme	Platform
`[0,3000.10.3)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade OliveTin to version 3000.10.3 or newer, where the concurrent map write bug has been fixed.
If upgrading immediately is not possible, disable OAuth2 authentication to eliminate the vulnerable endpoint.
After applying a patch or disabling OAuth2, restart the OliveTin service to ensure the updated code is running and monitor for repeated crashes.

Generated by OpenCVE AI on April 16, 2026 at 12:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-45m3-398w-m2m9	OliveTin has unauthenticated DoS via concurrent map writes in OAuth2 state handling

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0019.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c22d36
https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9

History

Tue, 10 Mar 2026 15:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:olivetin:olivetin::::::::

Fri, 06 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 06 Mar 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Olivetin Olivetin olivetin
Vendors & Products		Olivetin Olivetin olivetin

Thu, 05 Mar 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin’s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3.
Title		OliveTin: Unauthenticated DoS via concurrent map writes in OAuth2 state handling
Weaknesses		CWE-362 CWE-400 CWE-662
References		https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c22d36 https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Olivetin Olivetin

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-05T19:33:46.924Z

Updated: 2026-03-06T18:01:38.094Z

Reserved: 2026-03-03T14:25:19.244Z

Link: CVE-2026-28789

Vulnrichment

Updated: 2026-03-06T18:01:27.656Z

NVD

Status : Analyzed

Published: 2026-03-05T20:16:16.653

Modified: 2026-03-10T15:42:11.730

Link: CVE-2026-28789

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T12:15:35Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object