CVE-2026-28790
published 2026-03-05CVE-2026-28790: OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate…
PriorityP347high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.65%
46.5th percentile
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. Guests are correctly blocked from dashboard access, but can still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions. This issue has been patched in version 3000.11.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | olivetin_olivetin | >= 0 < 0.0.0-20260302002902-d9804182eae4 | 0.0.0-20260302002902-d9804182eae4 |
| olivetin | olivetin | < 3000.11.0 | 3000.11.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login in github.com/OliveTin/OliveTin
osv·2026-03-10
CVE-2026-28790 OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login in github.com/OliveTin/OliveTin
OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login in github.com/OliveTin/OliveTin
OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login in github.com/OliveTin/OliveTin
OSV
OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login
osv·2026-03-02
CVE-2026-28790 [HIGH] OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login
OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login
### Summary
OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. In the tested release (3000.10.2), guests are correctly blocked from dashboard access, but an still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions.
### Details
The issue is caused by inconsistent authorization enforcement between dashboard access and action-control RPCs.
KillAction() authenticates the caller and applies only the per-action kill ACL check:
- service/internal/api/api.go:62
However, it does n
GHSA
OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login
ghsa·2026-03-02
CVE-2026-28790 [HIGH] CWE-284 OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login
OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login
### Summary
OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. In the tested release (3000.10.2), guests are correctly blocked from dashboard access, but an still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions.
### Details
The issue is caused by inconsistent authorization enforcement between dashboard access and action-control RPCs.
KillAction() authenticates the caller and applies only the per-action kill ACL check:
- service/internal/api/api.go:62
However, it does n
No detection rules found.
No public exploits indexed.
2026-03-05
Published