OliveTin: Unauthenticated Action Termination via KillAction When Guests Must Login
Description
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. Guests are correctly blocked from dashboard access, but can still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions. This issue has been patched in version 3000.11.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OliveTin before 3000.11.0 allows unauthenticated guests to terminate running actions via KillAction RPC, bypassing guest login requirements and enabling unauthorized denial of service.
Vulnerability
Overview
OliveTin, a web interface for executing predefined shell commands, contains a broken access control vulnerability in versions prior to 3000.11.0. The issue arises because the KillAction RPC endpoint does not enforce the authRequireGuestsToLogin setting. While guests are correctly blocked from accessing the dashboard, they can still directly call the KillAction RPC and successfully terminate running actions. This inconsistency in authorization enforcement allows unauthenticated guests to initiate a denial-of-service condition against legitimate action executions [1][2].
Exploitation and
Attack Surface
An unauthenticated guest can exploit this vulnerability by directly invoking the KillAction remote procedure call. The lack of guest login enforcement on this specific endpoint, combined with the fact that config sanitization leaves the kill permission unchanged when guest login is required, means that in the default path, a guest user can satisfy the IsAllowedKill() check. The exploit requires no authentication and can be performed over the network. A proof-of-concept demonstrates that on a clean installation, a guest can kill an action started by an authenticated admin user [2].
Impact
Successful exploitation allows an unauthenticated attacker to terminate any running action, resulting in unauthorized denial of service. This can disrupt legitimate workflows and system administration tasks that rely on OliveTin, potentially causing service interruptions or data loss if the terminated actions are critical operations. The vulnerability does not grant the attacker any access to read data or execute new actions, limited strictly to killing already-running processes [1][2].
Mitigation
The vulnerability has been patched in OliveTin version 3000.11.0 [1][3]. Users running earlier versions should upgrade immediately to close this authorization bypass. No workarounds are mentioned in the advisory other than applying the patch, which ensures that KillAction properly enforces the guest login requirement [2].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/OliveTin/OliveTinGo | < 0.0.0-20260302002902-d9804182eae4 | 0.0.0-20260302002902-d9804182eae4 |
Affected products
2- OliveTin/OliveTinv5Range: < 3000.11.0
Patches
1d9804182eae4security: GHSA-4fqm-6fmh-82mq Authentication bypass in KillAction - thanks for the responsible disclosure @kule500 and making OliveTin better
1 file changed · +1 −0
service/internal/config/sanitize.go+1 −0 modified@@ -164,6 +164,7 @@ func (cfg *Config) sanitizeAuthRequireGuestsToLogin() { cfg.DefaultPermissions.View = false cfg.DefaultPermissions.Exec = false cfg.DefaultPermissions.Logs = false + cfg.DefaultPermissions.Kill = false } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-4fqm-6fmh-82mqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28790ghsaADVISORY
- github.com/OliveTin/OliveTin/commit/d9804182eae43cf49f735e6533ddbe1541c2b9a9ghsax_refsource_MISCWEB
- github.com/OliveTin/OliveTin/releases/tag/3000.11.0ghsax_refsource_MISCWEB
- github.com/OliveTin/OliveTin/security/advisories/GHSA-4fqm-6fmh-82mqghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.