CVE-2026-28789 OliveTin — Exploit & Vulnerability Details HIGH

Parameter	Value
CVSS	7.5 (HIGH)
Fixed In	3000.10.3
Type	CWE-662 (Improper Synchronization), CWE-362 (Race Condition), CWE-400 (Uncontrolled Resource Consumption)
Vendor	OliveTin
Public PoC	No

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin’s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination.

This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Privileges Required

None

No privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

None

No data leak

Integrity

None

No data modification

Availability

High

Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-662 Improper Synchronization

CWE-362 Race Condition

CWE-400 Uncontrolled Resource Consumption

References 2

https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c…

security-advisories@github.com

https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9

security-advisories@github.com

Menu

CVE-2026-28789

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

References 2

CVE Details

Editor's Choice

Menu

CVE-2026-28789

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

References 2

CVE Details

Editor's Choice

Stay informed on cybersecurity