CVE-2026-28790
Published: 05 March 2026
Summary
CVE-2026-28790 is a high-severity Improper Access Control (CWE-284) vulnerability in Olivetin Olivetin. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
The access control policy and procedures directly mandate and enforce proper access control mechanisms across the organization.
Supervision and review of access control activities directly detects and remediates improper access configurations or usages.
Associating and retaining security attributes with data directly supports enforcement of access control decisions across storage, processing, and transmission.
Requiring prior authorization for each remote access type prevents improper access control over remote connections.
Requiring authorization of wireless access before allowing connections enforces proper access control for this access method.
Requiring authorization and configuration controls for mobile device connections directly enforces access control and prevents unauthorized devices from reaching organizational systems.
Defining account types, requiring approvals for creation, specifying authorizations, monitoring usage, and reviewing accounts directly prevents improper access control by ensuring only authorized accounts exist and are used.
Enforces rules governing access to the system and its data from external systems based on established trust relationships.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Broken access control on public KillAction RPC in OliveTin web UI directly enables unauthenticated exploitation of a public-facing application (T1190) to terminate legitimate action executions, achieving denial of service via targeted application exploitation (T1499.004).
NVD Description
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. Guests are correctly blocked from dashboard access, but…
more
can still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions. This issue has been patched in version 3000.11.0.
Deeper analysisAI
CVE-2026-28790 is a broken access control vulnerability in OliveTin, an open-source tool that provides web interface access to predefined shell commands. In versions prior to 3000.11.0, the application fails to properly enforce authentication for the KillAction RPC endpoint, even when the configuration option authRequireGuestsToLogin is set to true. While unauthenticated guests are correctly blocked from accessing the dashboard, they can still directly invoke KillAction to terminate any running actions, leading to unauthorized denial of service against legitimate executions. The issue is classified under CWE-284 (Improper Access Control), CWE-862 (Missing Authorization), and CWE-863 (Incorrect Authorization), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Any unauthenticated attacker with network access to the OliveTin instance can exploit this vulnerability by directly calling the KillAction RPC, requiring no privileges, user interaction, or special complexity. Successful exploitation allows the attacker to prematurely stop ongoing actions executed by authorized users, disrupting service availability without impacting confidentiality or integrity. This enables repeated denial-of-service attacks against critical shell command workflows managed through OliveTin.
The vulnerability has been addressed in OliveTin version 3000.11.0, as detailed in the project's security advisory (GHSA-4fqm-6fmh-82mq), release notes, and the patching commit (d9804182eae43cf49f735e6533ddbe1541c2b9a9). Security practitioners should upgrade to the fixed version to mitigate the issue and review configurations to ensure proper authentication enforcement.
Details
- CWE(s)