CVE-2026-28342
published 2026-03-05CVE-2026-28342: OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.2, the PasswordHash API endpoint allows unauthenticated users…
PriorityP349high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.65%
46.3th percentile
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.2, the PasswordHash API endpoint allows unauthenticated users to trigger excessive memory allocation by sending concurrent password hashing requests. By issuing multiple parallel requests, an attacker can exhaust available container memory, leading to service degradation or complete denial of service (DoS). The issue occurs because the endpoint performs computationally and memory-intensive hashing operations without request throttling, authentication requirements, or resource limits. This issue has been patched in version 3000.10.2.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | olivetin_olivetin | >= 0 < 0.0.0-20260227002407-2eb5f0ba79d4 | 0.0.0-20260227002407-2eb5f0ba79d4 |
| olivetin | olivetin | < 3000.10.2 | 3000.10.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
OliveTin has Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint in github.com/OliveTin/OliveTin
osv·2026-03-10
CVE-2026-28342 OliveTin has Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint in github.com/OliveTin/OliveTin
OliveTin has Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint in github.com/OliveTin/OliveTin
OliveTin has Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint in github.com/OliveTin/OliveTin
GHSA
OliveTin has Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint
ghsa·2026-03-02
CVE-2026-28342 [HIGH] CWE-400 OliveTin has Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint
OliveTin has Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint
## Summary
The PasswordHash API endpoint allows unauthenticated users to trigger excessive memory allocation by sending concurrent password hashing requests. By issuing multiple parallel requests, an attacker can exhaust available container memory, leading to service degradation or complete denial of service (DoS).
The issue occurs because the endpoint performs computationally and memory-intensive hashing operations without request throttling, authentication requirements, or resource limits.
## Details
The vulnerable endpoint:
`POST /api/olivetin.api.v1.OliveTinApiService/PasswordHash`
accepts a JSON body containing a password field and returns a computed password hash.
Each request tr
OSV
OliveTin has Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint
osv·2026-03-02
CVE-2026-28342 [HIGH] OliveTin has Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint
OliveTin has Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint
## Summary
The PasswordHash API endpoint allows unauthenticated users to trigger excessive memory allocation by sending concurrent password hashing requests. By issuing multiple parallel requests, an attacker can exhaust available container memory, leading to service degradation or complete denial of service (DoS).
The issue occurs because the endpoint performs computationally and memory-intensive hashing operations without request throttling, authentication requirements, or resource limits.
## Details
The vulnerable endpoint:
`POST /api/olivetin.api.v1.OliveTinApiService/PasswordHash`
accepts a JSON body containing a password field and returns a computed password hash.
Each request tr
No detection rules found.
No public exploits indexed.
2026-03-05
Published