Home

Description

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin’s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3.

PUBLISHED Reserved 2026-03-03 | Published 2026-03-05 | Updated 2026-03-06 | Assigner GitHub_M




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-662: Improper Synchronization

CWE-400: Uncontrolled Resource Consumption

Product status

< 3000.10.3
affected

References

github.com/...iveTin/security/advisories/GHSA-45m3-398w-m2m9 exploit

github.com/...iveTin/security/advisories/GHSA-45m3-398w-m2m9

github.com/...ommit/f044d90d5525c4c8e3f421b32ed7eff771c22d36

cve.org (CVE-2026-28789)

nvd.nist.gov (CVE-2026-28789)

Download JSON