{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28790", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T14:25:19.244Z", "datePublished": "2026-03-05T19:34:53.951Z", "dateUpdated": "2026-03-06T17:57:04.488Z"}, "containers": {"cna": {"title": "OliveTin: Unauthenticated Action Termination via KillAction When Guests Must Login", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-4fqm-6fmh-82mq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-4fqm-6fmh-82mq"}, {"name": "https://github.com/OliveTin/OliveTin/commit/d9804182eae43cf49f735e6533ddbe1541c2b9a9", "tags": ["x_refsource_MISC"], "url": "https://github.com/OliveTin/OliveTin/commit/d9804182eae43cf49f735e6533ddbe1541c2b9a9"}, {"name": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.0"}], "affected": [{"vendor": "OliveTin", "product": "OliveTin", "versions": [{"version": "< 3000.11.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T19:34:53.951Z"}, "descriptions": [{"lang": "en", "value": "OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. Guests are correctly blocked from dashboard access, but can still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions. This issue has been patched in version 3000.11.0."}], "source": {"advisory": "GHSA-4fqm-6fmh-82mq", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-4fqm-6fmh-82mq", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T17:57:00.483301Z", "id": "CVE-2026-28790", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T17:57:04.488Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28790", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T17:57:00.483301Z"}}}], "references": [{"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-4fqm-6fmh-82mq", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T17:56:50.373Z"}}], "cna": {"title": "OliveTin: Unauthenticated Action Termination via KillAction When Guests Must Login", "source": {"advisory": "GHSA-4fqm-6fmh-82mq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "OliveTin", "product": "OliveTin", "versions": [{"status": "affected", "version": "< 3000.11.0"}]}], "references": [{"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-4fqm-6fmh-82mq", "name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-4fqm-6fmh-82mq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/OliveTin/OliveTin/commit/d9804182eae43cf49f735e6533ddbe1541c2b9a9", "name": "https://github.com/OliveTin/OliveTin/commit/d9804182eae43cf49f735e6533ddbe1541c2b9a9", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.0", "name": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. Guests are correctly blocked from dashboard access, but can still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions. This issue has been patched in version 3000.11.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T19:34:53.951Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28790", "state": "PUBLISHED", "dateUpdated": "2026-03-06T17:57:04.488Z", "dateReserved": "2026-03-03T14:25:19.244Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-05T19:34:53.951Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:olivetin:olivetin:*:*:*:*:*:*:*:*", "matchCriteriaId": "AA9FC7F5-7327-4784-A1FF-10E968680C81", "versionEndExcluding": "3000.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. Guests are correctly blocked from dashboard access, but can still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions. This issue has been patched in version 3000.11.0."}, {"lang": "es", "value": "OliveTin da acceso a comandos de shell predefinidos desde una interfaz web. Antes de la versi\u00f3n 3000.11.0, OliveTin permite a un invitado no autenticado terminar acciones en ejecuci\u00f3n a trav\u00e9s de KillAction incluso cuando authRequireGuestsToLogin: true est\u00e1 habilitado. Los invitados son bloqueados correctamente del acceso al panel de control, pero a\u00fan pueden llamar al RPC de KillAction directamente y detener con \u00e9xito una acci\u00f3n en ejecuci\u00f3n. Esto es un problema de control de acceso roto que causa denegaci\u00f3n de servicio no autorizada contra ejecuciones de acciones leg\u00edtimas. Este problema ha sido parcheado en la versi\u00f3n 3000.11.0."}], "id": "CVE-2026-28790", "lastModified": "2026-03-10T15:29:58.073", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-05T20:16:16.820", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OliveTin/OliveTin/commit/d9804182eae43cf49f735e6533ddbe1541c2b9a9"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-4fqm-6fmh-82mq"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-4fqm-6fmh-82mq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-862"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3000.11.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "OliveTin", "source": "cna", "vendor": "OliveTin"}, "product": "olivetin", "vendor": "olivetin"}], "analysis": {"en": {"generated_at": "2026-04-16T12:12:37.036060+00:00", "value": {"mitigation_remediation": ["Upgrade OliveTin to version 3000.11.0 or later to apply the official patch.", "Verify that authRequireGuestsToLogin is enabled to enforce guest login, which is now complemented by the patch.", "As a temporary measure, block the KillAction endpoint at the network level using a firewall or reverse proxy to prevent unauthorized RPC calls."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via Unauthorized Action Termination"}, "threat_synthesis": {"affected_systems": "The flaw impacts OliveTin installations prior to version 3000.11.0. All affected deployments, regardless of the guests setting, are vulnerable until the patch is applied; version 3000.11.0 and later contain the fix.", "description_and_impact": "OliveTin allows an unauthenticated guest to prematurely terminate any running action by invoking the KillAction RPC, even when guests are required to log in. This broken access control results in a denial\u2011of\u2011service against legitimate executions and can disrupt scheduled tasks or operational processes. The weakness aligns with CWE\u2011284, CWE\u2011862, and CWE\u2011863.", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity, yet the EPSS score of less than 1\u202f% suggests exploitation is currently unlikely. The attack requires network access to the OliveTin server and the ability to send a valid RPC request; guests are otherwise blocked from the GUI dashboard, so the weaponization path relies solely on the exposed KillAction endpoint. The vulnerability is not listed in CISA\u2019s KEV catalog."}}}}, "created": "2026-03-06T15:01:13.943744+00:00", "updated": "2026-04-16T12:15:35.094214+00:00", "vendors": ["olivetin", "olivetin$PRODUCT$olivetin"]}