Vulnerability-Lookup

CVE-2026-28789 (GCVE-0-2026-28789)

Vulnerability from cvelistv5 – Published: 2026-03-05 19:33 – Updated: 2026-03-06 18:01

Title

OliveTin: Unauthenticated DoS via concurrent map writes in OAuth2 state handling

Summary

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin’s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-662 - Improper Synchronization
CWE-400 - Uncontrolled Resource Consumption

Assigner

GitHub_M

References

URL

Tags

	https://github.com/OliveTin/OliveTin/security/adv…	x_refsource_CONFIRM
	https://github.com/OliveTin/OliveTin/commit/f044d…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	OliveTin	OliveTin	Affected: < 3000.10.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28789",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-06T18:01:34.546987Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-06T18:01:38.094Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "OliveTin",
          "vendor": "OliveTin",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3000.10.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin\u2019s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-362",
              "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-662",
              "description": "CWE-662: Improper Synchronization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-05T19:33:46.924Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9"
        },
        {
          "name": "https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c22d36",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c22d36"
        }
      ],
      "source": {
        "advisory": "GHSA-45m3-398w-m2m9",
        "discovery": "UNKNOWN"
      },
      "title": "OliveTin: Unauthenticated DoS via concurrent map writes in OAuth2 state handling"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-28789",
    "datePublished": "2026-03-05T19:33:46.924Z",
    "dateReserved": "2026-03-03T14:25:19.244Z",
    "dateUpdated": "2026-03-06T18:01:38.094Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-28789\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-05T20:16:16.653\",\"lastModified\":\"2026-03-09T13:36:08.413\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin\u2019s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3.\"},{\"lang\":\"es\",\"value\":\"OliveTin proporciona acceso a comandos de shell predefinidos desde una interfaz web. Antes de la versi\u00f3n 3000.10.3, existe una vulnerabilidad de denegaci\u00f3n de servicio no autenticada en el flujo de inicio de sesi\u00f3n OAuth2 de OliveTin. Las solicitudes concurrentes a /oauth/login pueden desencadenar un acceso no sincronizado a un mapa registeredStates compartido, causando un p\u00e1nico en tiempo de ejecuci\u00f3n de Go (error fatal: escrituras concurrentes en el mapa) y la terminaci\u00f3n del proceso. Esto permite a los atacantes remotos bloquear el servicio cuando OAuth2 est\u00e1 habilitado. Este problema ha sido parcheado en la versi\u00f3n 3000.10.3.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-362\"},{\"lang\":\"en\",\"value\":\"CWE-400\"},{\"lang\":\"en\",\"value\":\"CWE-662\"}]}],\"references\":[{\"url\":\"https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c22d36\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-28789\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-06T18:01:34.546987Z\"}}}], \"references\": [{\"url\": \"https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-06T18:01:27.656Z\"}}], \"cna\": {\"title\": \"OliveTin: Unauthenticated DoS via concurrent map writes in OAuth2 state handling\", \"source\": {\"advisory\": \"GHSA-45m3-398w-m2m9\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"OliveTin\", \"product\": \"OliveTin\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3000.10.3\"}]}], \"references\": [{\"url\": \"https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9\", \"name\": \"https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c22d36\", \"name\": \"https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c22d36\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin\\u2019s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-362\", \"description\": \"CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-662\", \"description\": \"CWE-662: Improper Synchronization\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400: Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-05T19:33:46.924Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-28789\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-06T18:01:38.094Z\", \"dateReserved\": \"2026-03-03T14:25:19.244Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-05T19:33:46.924Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-45M3-398W-M2M9

Vulnerability from github – Published: 2026-03-02 21:41 – Updated: 2026-03-05 22:49

Summary

OliveTin has unauthenticated DoS via concurrent map writes in OAuth2 state handling

Details

Summary

An unauthenticated denial-of-service vulnerability exists in OliveTin’s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled.

Details

The OAuth2 handler stores per-login state in a shared map without synchronization:

service/internal/auth/otoauth2/restapi_auth_oauth2.go:24 registeredStates map[string]*oauth2State
Unlocked write in login handler: .../restapi_auth_oauth2.go:141
Unlocked read in callback check: .../restapi_auth_oauth2.go:174
Unlocked writes in callback flow: .../restapi_auth_oauth2.go:284-285
Unlocked read in auth chain check: .../restapi_auth_oauth2.go:376

These paths are network reachable via publicly registered routes:

  - service/internal/httpservers/frontend.go:71 → /oauth/login
  - service/internal/httpservers/frontend.go:72 → /oauth/callback

Because Go HTTP handlers run concurrently, high parallel traffic to /oauth/login causes concurrent map access and runtime panic.

Tested on:

Container image: ghcr.io/olivetin/olivetin:3000.10.0
Source also contains same pattern at commit/tag eb42029b5d0c0633551621288180dd4566b913f7 (3000.10.1)

PoC

Start OliveTin with OAuth2 provider configured (example github), exposing port 1337.
Confirm baseline:

  curl -i http://127.0.0.1:1337/readyz
  curl -i "http://127.0.0.1:1337/oauth/login?provider=github"

Expected: 200 for /readyz, 302 for /oauth/login.

Run concurrency PoC:

  python3 /OliveTin/tools/poc_oauth2_state_map_race_dos.py \
    --base-url http://127.0.0.1:1337 \
    --provider github \
    --workers 80 \
    --requests 120000 \
    --health-failures 3

Verify crash:

docker inspect olivetin-dos --format 'status={{.State.Status}} exit={{.State.ExitCode}}' docker logs olivetin-dos 2>&1 | grep -E "fatal error: concurrent map|concurrent map writes|restapi_auth_oauth2.go"

Observed result:

Process exited with code 2
Logs include:
- fatal error: concurrent map writes
- .../internal/auth/otoauth2/restapi_auth_oauth2.go:141 in HandleOAuthLogin

Impact

Vulnerability type: Race condition (CWE-362) leading to DoS.
Attacker requirements: network access only; no authentication required for exploit path.
Impacted deployments: OliveTin instances with OAuth2 enabled and reachable over network.
Security impact: remote unauthenticated attacker can repeatedly crash OliveTin, causing availability loss until restart/recovery.

poc_oauth2_state_map_race_dos.py

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/OliveTin/OliveTin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260301235225-f044d90d5525c"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28789"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-400",
      "CWE-662"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-02T21:41:36Z",
    "nvd_published_at": "2026-03-05T20:16:16Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nAn unauthenticated denial-of-service vulnerability exists in OliveTin\u2019s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal\n  error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled.\n\n\n### Details\nThe OAuth2 handler stores per-login state in a shared map without synchronization:\n\n  - service/internal/auth/otoauth2/restapi_auth_oauth2.go:24\n    registeredStates map[string]*oauth2State\n  - Unlocked write in login handler: .../restapi_auth_oauth2.go:141\n  - Unlocked read in callback check: .../restapi_auth_oauth2.go:174\n  - Unlocked writes in callback flow: .../restapi_auth_oauth2.go:284-285\n  - Unlocked read in auth chain check: .../restapi_auth_oauth2.go:376\n\n  These paths are network reachable via publicly registered routes:\n```bash\n  - service/internal/httpservers/frontend.go:71 \u2192 /oauth/login\n  - service/internal/httpservers/frontend.go:72 \u2192 /oauth/callback\n```\n  Because Go HTTP handlers run concurrently, high parallel traffic to /oauth/login causes concurrent map access and runtime panic.\n\n  Tested on:\n\n  - Container image: ghcr.io/olivetin/olivetin:3000.10.0\n  - Source also contains same pattern at commit/tag eb42029b5d0c0633551621288180dd4566b913f7 (3000.10.1)\n\n\n### PoC\n1. Start OliveTin with OAuth2 provider configured (example github), exposing port 1337.\n  2. Confirm baseline:\n```bash\n  curl -i http://127.0.0.1:1337/readyz\n  curl -i \"http://127.0.0.1:1337/oauth/login?provider=github\"\n```\n  Expected: 200 for /readyz, 302 for /oauth/login.\n\n  3. Run concurrency PoC:\n```bash\n  python3 /OliveTin/tools/poc_oauth2_state_map_race_dos.py \\\n    --base-url http://127.0.0.1:1337 \\\n    --provider github \\\n    --workers 80 \\\n    --requests 120000 \\\n    --health-failures 3\n```\n  4. Verify crash:\n\n  docker inspect olivetin-dos --format \u0027status={{.State.Status}} exit={{.State.ExitCode}}\u0027\n  docker logs olivetin-dos 2\u003e\u00261 | grep -E \"fatal error: concurrent map|concurrent map writes|restapi_auth_oauth2.go\"\n\n  Observed result:\n\n  - Process exited with code 2\n  - Logs include:\n      - fatal error: concurrent map writes\n      - .../internal/auth/otoauth2/restapi_auth_oauth2.go:141 in HandleOAuthLogin\n\n\n\n### Impact\n- Vulnerability type: Race condition (CWE-362) leading to DoS.\n  - Attacker requirements: network access only; no authentication required for exploit path.\n  - Impacted deployments: OliveTin instances with OAuth2 enabled and reachable over network.\n  - Security impact: remote unauthenticated attacker can repeatedly crash OliveTin, causing availability loss until restart/recovery.\n \n[poc_oauth2_state_map_race_dos.py](https://github.com/user-attachments/files/25577901/poc_oauth2_state_map_race_dos.py)",
  "id": "GHSA-45m3-398w-m2m9",
  "modified": "2026-03-05T22:49:34Z",
  "published": "2026-03-02T21:41:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28789"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c22d36"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OliveTin/OliveTin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OliveTin has unauthenticated DoS via concurrent map writes in OAuth2 state handling"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-28789 (GCVE-0-2026-28789)

GHSA-45M3-398W-M2M9

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature