CVE-2026-28789
Published: 05 March 2026
Summary
CVE-2026-28789 is a high-severity Race Condition (CWE-362) vulnerability in Olivetin Olivetin. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Planning and coordination of security activities (scans, tests, maintenance) directly imposes scheduling and throttling that prevents those activities from producing uncontrolled resource consumption.
Limiting concurrent sessions directly prevents uncontrolled resource consumption by capping the number of active sessions per user or account.
Analysis identifies uncontrolled resource consumption indicative of denial-of-service or abuse attempts.
Accurate timestamps from internal clocks enable detection of race conditions by providing reliable event ordering in audit logs.
Contingency plan testing includes resource exhaustion scenarios to verify recovery, making it harder for attackers to sustain exploits that cause uncontrolled consumption.
Updated contingency plans include current procedures to detect, contain, and recover from resource exhaustion, limiting an attacker's ability to sustain impact from uncontrolled consumption.
Alternate site allows resumption of operations if resource exhaustion at the primary site is exploited to cause unavailability.
Alternate telecommunications services enable resumption of essential functions when primary services become unavailable due to uncontrolled resource consumption.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated network-accessible race condition in public web app (/oauth/login) directly enables T1190 exploitation of public-facing application and T1499.004 application/system exploitation resulting in process crash and DoS.
NVD Description
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin’s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a…
more
Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3.
Deeper analysisAI
CVE-2026-28789 is an unauthenticated denial-of-service vulnerability in OliveTin, a web interface that provides access to predefined shell commands. In versions prior to 3000.10.3, the OAuth2 login flow is susceptible to unsynchronized access to a shared registeredStates map. Concurrent requests to the /oauth/login endpoint trigger concurrent map writes, resulting in a Go runtime panic (fatal error: concurrent map writes) and process termination. The vulnerability is associated with CWEs 362, 400, and 662, and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Unauthenticated remote attackers can exploit this issue by sending concurrent requests to /oauth/login when OAuth2 is enabled in OliveTin. No privileges or user interaction are required, and exploitation is straightforward over the network with low complexity. Successful attacks cause the OliveTin process to crash, leading to a denial of service by terminating the service.
The issue has been addressed in OliveTin version 3000.10.3. Security advisories and the patching commit are available at https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9 and https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c22d36. Practitioners should upgrade to the patched version to mitigate the vulnerability.
Details
- CWE(s)