Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
7.5

OliveTin allows unauthenticated guests to stop running actions

GHSA-4fqm-6fmh-82mq CVE-2026-28790
Summary

Prior to version 3000.11.0, OliveTin's security settings were not properly enforced, allowing anyone to stop running actions without logging in. This could cause legitimate tasks to be interrupted. To fix this, update to OliveTin version 3000.11.0 or later.

What to do
  • Update github.com olivetin to version 0.0.0-20260302002902-d9804182eae4.
Affected software
VendorProductAffected versionsFix available
github.com olivetin <= 0.0.0-20260302002902-d9804182eae4 0.0.0-20260302002902-d9804182eae4
olivetin olivetin <= 3000.11.0 –
Original title
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate running actions through KillAction even wh...
Original description
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. Guests are correctly blocked from dashboard access, but can still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions. This issue has been patched in version 3000.11.0.
ghsa CVSS3.1 7.5
Vulnerability type
CWE-284 Improper Access Control
CWE-862 Missing Authorization
CWE-863 Incorrect Authorization
Published: 5 Mar 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026