{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28789", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T14:25:19.244Z", "datePublished": "2026-03-05T19:33:46.924Z", "dateUpdated": "2026-03-06T18:01:38.094Z"}, "containers": {"cna": {"title": "OliveTin: Unauthenticated DoS via concurrent map writes in OAuth2 state handling", "problemTypes": [{"descriptions": [{"cweId": "CWE-362", "lang": "en", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-662", "lang": "en", "description": "CWE-662: Improper Synchronization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9"}, {"name": "https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c22d36", "tags": ["x_refsource_MISC"], "url": "https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c22d36"}], "affected": [{"vendor": "OliveTin", "product": "OliveTin", "versions": [{"version": "< 3000.10.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T19:33:46.924Z"}, "descriptions": [{"lang": "en", "value": "OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin\u2019s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3."}], "source": {"advisory": "GHSA-45m3-398w-m2m9", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T18:01:34.546987Z", "id": "CVE-2026-28789", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T18:01:38.094Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28789", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T18:01:34.546987Z"}}}], "references": [{"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T18:01:27.656Z"}}], "cna": {"title": "OliveTin: Unauthenticated DoS via concurrent map writes in OAuth2 state handling", "source": {"advisory": "GHSA-45m3-398w-m2m9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "OliveTin", "product": "OliveTin", "versions": [{"status": "affected", "version": "< 3000.10.3"}]}], "references": [{"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9", "name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c22d36", "name": "https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c22d36", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin\u2019s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-662", "description": "CWE-662: Improper Synchronization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T19:33:46.924Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28789", "state": "PUBLISHED", "dateUpdated": "2026-03-06T18:01:38.094Z", "dateReserved": "2026-03-03T14:25:19.244Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-05T19:33:46.924Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:olivetin:olivetin:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B4582D9-169E-40D5-8E85-A2C591F413A9", "versionEndIncluding": "3000.10.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin\u2019s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3."}, {"lang": "es", "value": "OliveTin proporciona acceso a comandos de shell predefinidos desde una interfaz web. Antes de la versi\u00f3n 3000.10.3, existe una vulnerabilidad de denegaci\u00f3n de servicio no autenticada en el flujo de inicio de sesi\u00f3n OAuth2 de OliveTin. Las solicitudes concurrentes a /oauth/login pueden desencadenar un acceso no sincronizado a un mapa registeredStates compartido, causando un p\u00e1nico en tiempo de ejecuci\u00f3n de Go (error fatal: escrituras concurrentes en el mapa) y la terminaci\u00f3n del proceso. Esto permite a los atacantes remotos bloquear el servicio cuando OAuth2 est\u00e1 habilitado. Este problema ha sido parcheado en la versi\u00f3n 3000.10.3."}], "id": "CVE-2026-28789", "lastModified": "2026-03-10T15:42:11.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-05T20:16:16.653", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c22d36"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}, {"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-662"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3000.10.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "OliveTin", "source": "cna", "vendor": "OliveTin"}, "product": "olivetin", "vendor": "olivetin"}], "analysis": {"en": {"generated_at": "2026-04-16T12:12:59.302473+00:00", "value": {"mitigation_remediation": ["Upgrade OliveTin to version 3000.10.3 or newer, where the concurrent map write bug has been fixed.", "If upgrading immediately is not possible, disable OAuth2 authentication to eliminate the vulnerable endpoint.", "After applying a patch or disabling OAuth2, restart the OliveTin service to ensure the updated code is running and monitor for repeated crashes."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "OliveTin software versions earlier than 3000.10.3 are affected. The vulnerability is tied to the OAuth2 authentication mechanism within the OliveTin application.", "description_and_impact": "OliveTin allows execution of predetermined shell commands via a web interface. In versions prior to 3000.10.3, the OAuth2 login flow contains an unguarded concurrent write to a shared states map. Multiple simultaneous requests to the /oauth/login endpoint can trigger a Go runtime panic, terminating the process. The flaw is exploitable without authentication, allowing remote attackers to crash the service whenever OAuth2 is enabled.", "risk_and_exploitability": "The CVSS score is 7.5, indicating a high impact denial\u2011of\u2011service vulnerability. EPSS is below 1\u202f%, suggesting a low probability of exploitation in the wild, and the issue is not listed in the CISA KEV catalog. The likely attack vector is remote, unauthenticated HTTP requests targeting the /oauth/login endpoint. Exploitation requires the ability to send concurrent requests; no special privileges or network access are needed beyond reaching the OliveTin service."}}}}, "created": "2026-03-06T15:01:14.875493+00:00", "updated": "2026-04-16T12:15:35.094638+00:00", "vendors": ["olivetin", "olivetin$PRODUCT$olivetin"]}