CVE-2026-28789
Published: 05 March 2026
Summary
CVE-2026-28789 is a high-severity Race Condition (CWE-362) vulnerability in Olivetin Olivetin. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-28789 is an unauthenticated denial-of-service vulnerability in OliveTin, a web interface that provides access to predefined shell commands. In versions prior to 3000.10.3, the OAuth2 login flow is susceptible to unsynchronized access to a shared registeredStates map. Concurrent requests to the /oauth/login endpoint trigger concurrent map writes, resulting in a Go runtime panic (fatal error: concurrent map writes) and process termination. The vulnerability is associated with CWEs 362, 400, and 662, and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Unauthenticated remote attackers can exploit this issue by sending concurrent requests to /oauth/login when OAuth2 is enabled in OliveTin. No privileges or user interaction are required, and exploitation is straightforward over the network with low complexity. Successful attacks cause the OliveTin process to crash, leading to a denial of service by terminating the service.
The issue has been addressed in OliveTin version 3000.10.3. Security advisories and the patching commit are available at https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9 and https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c22d36. Practitioners should upgrade to the patched version to mitigate the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9873
Vulnerability details
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin’s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a…
more
Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated network-accessible race condition in public web app (/oauth/login) directly enables T1190 exploitation of public-facing application and T1499.004 application/system exploitation resulting in process crash and DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates identification, reporting, testing, and correction of the specific concurrency flaw in OliveTin's OAuth2 login flow causing the runtime panic.
Implements denial-of-service protections such as rate limiting to block concurrent requests to the /oauth/login endpoint that trigger the map write race condition.
Enables real-time monitoring to identify ongoing DoS attacks via anomalous concurrent requests and resulting process crashes in the OAuth2 login flow.