CVE-2026-28789
📋 TL;DR
CVE-2026-28789 is an unauthenticated denial-of-service vulnerability in OliveTin's OAuth2 login flow. Attackers can crash the service by sending concurrent requests to trigger a Go runtime panic when OAuth2 is enabled. This affects all OliveTin deployments with OAuth2 enabled prior to version 3000.10.3.
💻 Affected Systems
- OliveTin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage requiring manual restart, potentially disrupting access to shell commands managed through OliveTin.
Likely Case
Service crashes and becomes unavailable until manually restarted, causing temporary denial of service.
If Mitigated
No impact if OAuth2 is disabled or patched version is deployed.
🎯 Exploit Status
Exploitation requires sending concurrent HTTP requests to /oauth/login endpoint. No authentication needed when OAuth2 is enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3000.10.3
Vendor Advisory: https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9
Restart Required: Yes
Instructions:
1. Stop OliveTin service. 2. Update to version 3000.10.3 or later. 3. Restart OliveTin service.
🔧 Temporary Workarounds
Disable OAuth2 Authentication
allSwitch to basic authentication or disable authentication entirely to avoid the vulnerable code path.
Edit OliveTin configuration to use basic auth or no auth
Rate Limit /oauth/login Endpoint
linuxImplement rate limiting on the vulnerable endpoint using a reverse proxy or WAF.
# Example nginx rate limiting:
limit_req_zone $binary_remote_addr zone=oauth:10m rate=1r/s;
location /oauth/login {
limit_req zone=oauth burst=5;
}
🧯 If You Can't Patch
- Disable OAuth2 authentication and use basic authentication instead
- Implement network-level protection with WAF or reverse proxy to block/rate limit requests to /oauth/login
🔍 How to Verify
Check if Vulnerable:
Check if OliveTin version is below 3000.10.3 and OAuth2 is enabled in configuration.Check Version:
olivetin --versionVerify Fix Applied:
Confirm version is 3000.10.3 or later and test with concurrent requests to /oauth/login endpoint.📡 Detection & Monitoring
Log Indicators:
- Go runtime panic messages
- fatal error: concurrent map writes
- Process termination/crash logs
- Multiple rapid requests to /oauth/login
Network Indicators:
- Burst of HTTP requests to /oauth/login endpoint
- Service becoming unresponsive after request spikes
SIEM Query:
source="olivetin.log" AND ("concurrent map writes" OR "panic" OR "fatal error")