Skip to main content

Olivetin CVE-2026-28790

HIGH
Improper Access Control (CWE-284)
2026-03-05 security-advisories@github.com GHSA-4fqm-6fmh-82mq
Denial Of Service Olivetin Suse
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
PoC Detected
Mar 10, 2026 - 15:29 vuln.today
Public exploit code
Patch released
Mar 10, 2026 - 15:29 nvd
Patch available
CVE Published
Mar 05, 2026 - 20:16 nvd
HIGH 7.5

DescriptionGitHub Advisory

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. Guests are correctly blocked from dashboard access, but can still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions. This issue has been patched in version 3000.11.0.

AnalysisAI

OliveTin versions prior to 3000.11.0 suffer from broken access control allowing unauthenticated users to invoke the KillAction RPC endpoint and terminate running shell command executions, bypassing authentication restrictions. Public exploit code exists for this vulnerability, enabling remote denial of service attacks against legitimate administrative actions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send unauthenticated HTTP request
Exploit
Call KillAction RPC endpoint directly
Execution
Terminate running shell command execution
Impact
Deny service to legitimate users
Sign in to reveal

Vulnerability AssessmentAI

Exploitation OliveTin versions prior to 3000.11.0 with authRequireGuestsToLogin: true enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 7.5 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker without authentication could exploit this vulnerability to compromise the affected system.
Remediation A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all OliveTin instances in your environment and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48708 HIGH
7.5 Jun 15

Concurrent action execution in OliveTin versions 3000.0.0 and prior triggers a race condition in a shared text/template.
CVE-2026-48709 LOW
3.7 Jun 15

OliveTin's ValidateArgumentType RPC endpoint exposes action binding IDs and argument configurations to unauthenticated n

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-28790 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy