Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
OliveTin: Unauthenticated Service Crash via OAuth Login
GHSA-45m3-398w-m2m9
CVE-2026-28789
Summary
An outdated version of OliveTin can crash if someone sends multiple login requests, but this has been fixed in a recent update. If you're using an affected version, update to the latest version to prevent potential service disruptions. This is a remote attack that doesn't require a user to be logged in.
What to do
- Update github.com olivetin to version 0.0.0-20260301235225-f044d90d5525c.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | olivetin | <= 0.0.0-20260301235225-f044d90d5525c | 0.0.0-20260301235225-f044d90d5525c |
| olivetin | olivetin | <= 3000.10.2 | – |
Original title
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin’s OAuth2 login flow. Concu...
Original description
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin’s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3.
ghsa CVSS3.1
7.5
Vulnerability type
CWE-362
Race Condition
CWE-400
Uncontrolled Resource Consumption
CWE-662
Published: 5 Mar 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026