CVE-2026-28342
📋 TL;DR
CVE-2026-28342 is an unauthenticated denial-of-service vulnerability in OliveTin's PasswordHash API endpoint. Attackers can send concurrent password hashing requests to exhaust container memory, causing service degradation or complete outage. All OliveTin instances prior to version 3000.10.2 are affected.
💻 Affected Systems
- OliveTin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage due to memory exhaustion, potentially affecting all OliveTin-managed shell commands and disrupting operations.
Likely Case
Service degradation or temporary unavailability as memory consumption spikes from concurrent attack requests.
If Mitigated
Minimal impact with proper request throttling, authentication, and resource limits in place.
🎯 Exploit Status
Exploitation requires only sending concurrent HTTP requests to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3000.10.2
Vendor Advisory: https://github.com/OliveTin/OliveTin/security/advisories/GHSA-pc8g-78pf-4xrp
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Update OliveTin to version 3000.10.2 or later. 3. Restart the OliveTin service.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict access to OliveTin web interface and API endpoints using firewall rules.
iptables -A INPUT -p tcp --dport [OLIVETIN_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [OLIVETIN_PORT] -j DROP
Reverse Proxy Rate Limiting
linuxImplement request rate limiting at reverse proxy level to prevent concurrent attacks.
# Configure nginx rate limiting: limit_req_zone $binary_remote_addr zone=olivetin:10m rate=10r/s;
# Add to location block: limit_req zone=olivetin burst=20 nodelay;
🧯 If You Can't Patch
- Implement strict network segmentation to isolate OliveTin from untrusted networks.
- Deploy web application firewall (WAF) with rate limiting and DoS protection rules.
🔍 How to Verify
Check if Vulnerable:
Check OliveTin version via web interface or configuration file. Versions below 3000.10.2 are vulnerable.Check Version:
curl -s http://localhost:1337/api/info | grep versionVerify Fix Applied:
Confirm version is 3000.10.2 or later and test PasswordHash endpoint with authentication requirements.📡 Detection & Monitoring
Log Indicators:
- Multiple rapid requests to /api/passwordhash endpoint
- Abnormal memory consumption spikes in container/process metrics
- Error logs indicating memory allocation failures
Network Indicators:
- High volume of HTTP POST requests to PasswordHash API from single source
- Concurrent connections exceeding normal baseline
SIEM Query:
source="olivetin" AND (uri_path="/api/passwordhash" OR message="memory") | stats count by src_ip