cbcvebase.
CVE-2026-28790
published 2026-03-05

CVE-2026-28790: OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate…

PriorityP347high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.65%
46.5th percentile
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. Guests are correctly blocked from dashboard access, but can still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions. This issue has been patched in version 3000.11.0.

Affected

2 ranges
VendorProductVersion rangeFixed in
github.comolivetin_olivetin>= 0 < 0.0.0-20260302002902-d9804182eae40.0.0-20260302002902-d9804182eae4
olivetinolivetin< 3000.11.03000.11.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.