CVE-2026-28790
Published: 05 March 2026
Summary
CVE-2026-28790 is a high-severity Improper Access Control (CWE-284) vulnerability in Olivetin Olivetin. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-28790 is a broken access control vulnerability in OliveTin, an open-source tool that provides web interface access to predefined shell commands. In versions prior to 3000.11.0, the application fails to properly enforce authentication for the KillAction RPC endpoint, even when the configuration option authRequireGuestsToLogin is set to true. While unauthenticated guests are correctly blocked from accessing the dashboard, they can still directly invoke KillAction to terminate any running actions, leading to unauthorized denial of service against legitimate executions. The issue is classified under CWE-284 (Improper Access Control), CWE-862 (Missing Authorization), and CWE-863 (Incorrect Authorization), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Any unauthenticated attacker with network access to the OliveTin instance can exploit this vulnerability by directly calling the KillAction RPC, requiring no privileges, user interaction, or special complexity. Successful exploitation allows the attacker to prematurely stop ongoing actions executed by authorized users, disrupting service availability without impacting confidentiality or integrity. This enables repeated denial-of-service attacks against critical shell command workflows managed through OliveTin.
The vulnerability has been addressed in OliveTin version 3000.11.0, as detailed in the project's security advisory (GHSA-4fqm-6fmh-82mq), release notes, and the patching commit (d9804182eae43cf49f735e6533ddbe1541c2b9a9). Security practitioners should upgrade to the fixed version to mitigate the issue and review configurations to ensure proper authentication enforcement.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9874
Vulnerability details
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. Guests are correctly blocked from dashboard access, but…
more
can still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions. This issue has been patched in version 3000.11.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Broken access control on public KillAction RPC in OliveTin web UI directly enables unauthenticated exploitation of a public-facing application (T1190) to terminate legitimate action executions, achieving denial of service via targeted application exploitation (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 mandates enforcement of approved authorizations for access to system resources, directly addressing the failure to authenticate KillAction RPC calls by unauthenticated guests.
AC-14 requires explicit identification and authorization of actions permitted without identification or authentication, preventing unauthenticated access to disruptive functions like KillAction.
AC-6 enforces least privilege for user actions, ensuring only authorized entities can terminate running actions and mitigating unauthorized DoS.