Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
7.5

OliveTin: Unauthenticated users can crash the system with excessive requests

GHSA-pc8g-78pf-4xrp CVE-2026-28342
Summary

Prior to version 3000.10.2, OliveTin's PasswordHash API endpoint can be exploited by sending multiple requests in quick succession, causing the system to run out of memory and become unavailable. This can lead to service degradation or complete downtime. To protect your system, update to version 3000.10.2 or later.

What to do
  • Update github.com olivetin to version 0.0.0-20260227002407-2eb5f0ba79d4.
Affected software
VendorProductAffected versionsFix available
github.com olivetin <= 0.0.0-20260227002407-2eb5f0ba79d4 0.0.0-20260227002407-2eb5f0ba79d4
olivetin olivetin <= 3000.10.2 –
Original title
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.2, the PasswordHash API endpoint allows unauthenticated users to trigger excessive memory allocatio...
Original description
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.2, the PasswordHash API endpoint allows unauthenticated users to trigger excessive memory allocation by sending concurrent password hashing requests. By issuing multiple parallel requests, an attacker can exhaust available container memory, leading to service degradation or complete denial of service (DoS). The issue occurs because the endpoint performs computationally and memory-intensive hashing operations without request throttling, authentication requirements, or resource limits. This issue has been patched in version 3000.10.2.
ghsa CVSS3.1 7.5
Vulnerability type
CWE-400 Uncontrolled Resource Consumption
CWE-770 Allocation of Resources Without Limits
Published: 5 Mar 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026