CVE-2026-28342
Published: 05 March 2026
Summary
CVE-2026-28342 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Olivetin Olivetin. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked in the top 31.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly implements denial-of-service protections such as request throttling to prevent memory exhaustion from concurrent unauthenticated requests to the PasswordHash endpoint.
Protects resource availability by limiting allocations to processes like password hashing, mitigating uncontrolled memory consumption without resource limits.
Limits and monitors permitted actions without authentication, preventing unauthenticated access to the resource-intensive PasswordHash API endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly enables remote unauthenticated attackers to abuse the PasswordHash endpoint with concurrent requests, causing application-layer resource exhaustion (memory) and DoS, which maps to Application Exhaustion Flood.
NVD Description
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.2, the PasswordHash API endpoint allows unauthenticated users to trigger excessive memory allocation by sending concurrent password hashing requests. By issuing multiple parallel requests, an attacker…
more
can exhaust available container memory, leading to service degradation or complete denial of service (DoS). The issue occurs because the endpoint performs computationally and memory-intensive hashing operations without request throttling, authentication requirements, or resource limits. This issue has been patched in version 3000.10.2.
Deeper analysisAI
CVE-2026-28342 affects OliveTin, a web interface that provides access to predefined shell commands, specifically versions prior to 3000.10.2. The vulnerability resides in the PasswordHash API endpoint, which permits unauthenticated users to trigger excessive memory allocation through concurrent password hashing requests. This occurs due to computationally and memory-intensive hashing operations performed without request throttling, authentication requirements, or resource limits, as indicated by associated CWEs-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling). The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its high availability impact.
Any unauthenticated attacker with network access can exploit this vulnerability by issuing multiple parallel requests to the PasswordHash endpoint, exhausting available container memory and causing service degradation or complete denial of service (DoS). No user interaction or privileges are required, making it straightforward to execute remotely.
The vulnerability has been patched in OliveTin version 3000.10.2, as detailed in the project's GitHub security advisory (GHSA-pc8g-78pf-4xrp), release notes, and the fixing commit (2eb5f0ba79d4bbef3c802bf8b4666a7e18dcfd90). Security practitioners should upgrade to the patched version to mitigate the risk.
Details
- CWE(s)