CVE-2026-28790 - Vulnerability Details

- OliveTin: Unauthenticated Action Termination via KillAction When Guests Must Login

Description

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. Guests are correctly blocked from dashboard access, but can still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions. This issue has been patched in version 3000.11.0.

Published: 2026-03-05

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

OliveTin allows an unauthenticated guest to prematurely terminate any running action by invoking the KillAction RPC, even when guests are required to log in. This broken access control results in a denial‑of‑service against legitimate executions and can disrupt scheduled tasks or operational processes. The weakness aligns with CWE‑284, CWE‑862, and CWE‑863.

Affected Systems

The flaw impacts OliveTin installations prior to version 3000.11.0. All affected deployments, regardless of the guests setting, are vulnerable until the patch is applied; version 3000.11.0 and later contain the fix.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, yet the EPSS score of less than 1 % suggests exploitation is currently unlikely. The attack requires network access to the OliveTin server and the ability to send a valid RPC request; guests are otherwise blocked from the GUI dashboard, so the weaponization path relies solely on the exposed KillAction endpoint. The vulnerability is not listed in CISA’s KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

OliveTin

affected

Version	Status	Constraints
`< 3000.11.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:olivetin:olivetin:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Olivetin

100%

Version	Status	Scheme	Platform
`[0,3000.11.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade OliveTin to version 3000.11.0 or later to apply the official patch.
Verify that authRequireGuestsToLogin is enabled to enforce guest login, which is now complemented by the patch.
As a temporary measure, block the KillAction endpoint at the network level using a firewall or reverse proxy to prevent unauthorized RPC calls.

Generated by OpenCVE AI on April 16, 2026 at 12:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-4fqm-6fmh-82mq	OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00111.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/OliveTin/OliveTin/commit/d9804182eae43cf49f735e6533ddbe1541c2b9a9
https://github.com/OliveTin/OliveTin/releases/tag/3000.11.0
https://github.com/OliveTin/OliveTin/security/advisories/GHSA-4fqm-6fmh-82mq

History

Tue, 10 Mar 2026 15:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:olivetin:olivetin::::::::

Fri, 06 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 06 Mar 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Olivetin Olivetin olivetin
Vendors & Products		Olivetin Olivetin olivetin

Thu, 05 Mar 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. Guests are correctly blocked from dashboard access, but can still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions. This issue has been patched in version 3000.11.0.
Title		OliveTin: Unauthenticated Action Termination via KillAction When Guests Must Login
Weaknesses		CWE-284 CWE-862 CWE-863
References		https://github.com/OliveTin/OliveTin/commit/d9804182eae43cf49f735e6533ddbe1541c2b9a9 https://github.com/OliveTin/OliveTin/releases/tag/3000.11.0 https://github.com/OliveTin/OliveTin/security/advisories/GHSA-4fqm-6fmh-82mq
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Olivetin Olivetin

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-05T19:34:53.951Z

Updated: 2026-03-06T17:57:04.488Z

Reserved: 2026-03-03T14:25:19.244Z

Link: CVE-2026-28790

Vulnrichment

Updated: 2026-03-06T17:56:50.373Z

NVD

Status : Analyzed

Published: 2026-03-05T20:16:16.820

Modified: 2026-03-10T15:29:58.073

Link: CVE-2026-28790

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T12:15:35Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object