Cyber Resilience

CVE-2026-28790

HighPublic PoC

Published: 05 March 2026

Published
05 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0012 29.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28790 is a high-severity Improper Access Control (CWE-284) vulnerability in Olivetin Olivetin. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-28790 is a broken access control vulnerability in OliveTin, an open-source tool that provides web interface access to predefined shell commands. In versions prior to 3000.11.0, the application fails to properly enforce authentication for the KillAction RPC endpoint, even when the configuration option authRequireGuestsToLogin is set to true. While unauthenticated guests are correctly blocked from accessing the dashboard, they can still directly invoke KillAction to terminate any running actions, leading to unauthorized denial of service against legitimate executions. The issue is classified under CWE-284 (Improper Access Control), CWE-862 (Missing Authorization), and CWE-863 (Incorrect Authorization), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Any unauthenticated attacker with network access to the OliveTin instance can exploit this vulnerability by directly calling the KillAction RPC, requiring no privileges, user interaction, or special complexity. Successful exploitation allows the attacker to prematurely stop ongoing actions executed by authorized users, disrupting service availability without impacting confidentiality or integrity. This enables repeated denial-of-service attacks against critical shell command workflows managed through OliveTin.

The vulnerability has been addressed in OliveTin version 3000.11.0, as detailed in the project's security advisory (GHSA-4fqm-6fmh-82mq), release notes, and the patching commit (d9804182eae43cf49f735e6533ddbe1541c2b9a9). Security practitioners should upgrade to the fixed version to mitigate the issue and review configurations to ensure proper authentication enforcement.

EU & UK References

Vulnerability details

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. Guests are correctly blocked from dashboard access, but…

more

can still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions. This issue has been patched in version 3000.11.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Broken access control on public KillAction RPC in OliveTin web UI directly enables unauthenticated exploitation of a public-facing application (T1190) to terminate legitimate action executions, achieving denial of service via targeted application exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-28789Same product: Olivetin Olivetin
CVE-2026-31817Same product: Olivetin Olivetin
CVE-2026-27626Same product: Olivetin Olivetin
CVE-2026-30223Same product: Olivetin Olivetin
CVE-2026-28342Same product: Olivetin Olivetin
CVE-2026-33316Shared CWE-284, CWE-862
CVE-2025-13928Shared CWE-863
CVE-2026-30241Shared CWE-863
CVE-2025-59683Shared CWE-863
CVE-2026-25317Shared CWE-862

Affected Assets

olivetin
olivetin
≤ 3000.11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 mandates enforcement of approved authorizations for access to system resources, directly addressing the failure to authenticate KillAction RPC calls by unauthenticated guests.

prevent

AC-14 requires explicit identification and authorization of actions permitted without identification or authentication, preventing unauthenticated access to disruptive functions like KillAction.

prevent

AC-6 enforces least privilege for user actions, ensuring only authorized entities can terminate running actions and mitigating unauthorized DoS.

References