High severityNVD Advisory· Published Mar 5, 2026· Updated Mar 6, 2026
OliveTin: Unauthenticated DoS via concurrent map writes in OAuth2 state handling
CVE-2026-28789
Description
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin’s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/OliveTin/OliveTinGo | < 0.0.0-20260301235225-f044d90d5525c | 0.0.0-20260301235225-f044d90d5525c |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/olivetin/olivetinpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 0.0.0-20260301235225-f044d90d5525c+ 1 more
- (no CPE)range: < 0.0.0-20260301235225-f044d90d5525c
- (no CPE)range: < 0.0.20260317T205859-150000.1.152.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-45m3-398w-m2m9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28789ghsaADVISORY
- github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c22d36ghsax_refsource_MISCWEB
- github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.