Cyber Resilience

CVE-2026-28789

HighPublic PoCDDoS

Published: 05 March 2026

Published
05 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0017 38.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28789 is a high-severity Race Condition (CWE-362) vulnerability in Olivetin Olivetin. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-28789 is an unauthenticated denial-of-service vulnerability in OliveTin, a web interface that provides access to predefined shell commands. In versions prior to 3000.10.3, the OAuth2 login flow is susceptible to unsynchronized access to a shared registeredStates map. Concurrent requests to the /oauth/login endpoint trigger concurrent map writes, resulting in a Go runtime panic (fatal error: concurrent map writes) and process termination. The vulnerability is associated with CWEs 362, 400, and 662, and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Unauthenticated remote attackers can exploit this issue by sending concurrent requests to /oauth/login when OAuth2 is enabled in OliveTin. No privileges or user interaction are required, and exploitation is straightforward over the network with low complexity. Successful attacks cause the OliveTin process to crash, leading to a denial of service by terminating the service.

The issue has been addressed in OliveTin version 3000.10.3. Security advisories and the patching commit are available at https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9 and https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c22d36. Practitioners should upgrade to the patched version to mitigate the vulnerability.

EU & UK References

Vulnerability details

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin’s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a…

more

Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Unauthenticated network-accessible race condition in public web app (/oauth/login) directly enables T1190 exploitation of public-facing application and T1499.004 application/system exploitation resulting in process crash and DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-28790Same product: Olivetin Olivetin
CVE-2026-31817Same product: Olivetin Olivetin
CVE-2026-30223Same product: Olivetin Olivetin
CVE-2026-27626Same product: Olivetin Olivetin
CVE-2026-28342Same product: Olivetin Olivetin
CVE-2026-39304Shared CWE-400
CVE-2026-21637Shared CWE-400
CVE-2025-40944Shared CWE-400
CVE-2025-70886Shared CWE-400
CVE-2026-46834Shared CWE-400

Affected Assets

olivetin
olivetin
≤ 3000.10.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates identification, reporting, testing, and correction of the specific concurrency flaw in OliveTin's OAuth2 login flow causing the runtime panic.

prevent

Implements denial-of-service protections such as rate limiting to block concurrent requests to the /oauth/login endpoint that trigger the map write race condition.

detect

Enables real-time monitoring to identify ongoing DoS attacks via anomalous concurrent requests and resulting process crashes in the OAuth2 login flow.

References