CVE-2026-28790
- Source
- https://cve.org/CVERecord?id=CVE-2026-28790
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28790.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-28790
- Aliases
- Downstream
- Related
- Published
- 2026-03-05T19:34:53.951Z
- Modified
- 2026-04-10T05:41:25.730405Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- OliveTin: Unauthenticated Action Termination via KillAction When Guests Must Login
- Details
-
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. Guests are correctly blocked from dashboard access, but can still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions. This issue has been patched in version 3000.11.0.
- Database specific
{ "cwe_ids": [ "CWE-284", "CWE-862", "CWE-863" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28790.json", "cna_assigner": "GitHub_M" }- References
-
- https://github.com/OliveTin/OliveTin/releases/tag/3000.11.0
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28790.json
- https://github.com/OliveTin/OliveTin/security/advisories/GHSA-4fqm-6fmh-82mq
- https://nvd.nist.gov/vuln/detail/CVE-2026-28790
- https://github.com/OliveTin/OliveTin/commit/d9804182eae43cf49f735e6533ddbe1541c2b9a9
Affected packages
Git / github.com/OliveTin/OliveTin
Affected ranges
- Type
- GIT
- Repo
- https://github.com/OliveTin/OliveTin
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Database specific
{ "versions": [ { "introduced": "0" }, { "fixed": "3000.11.0" } ] }
- Type
- GIT
- Repo
- https://github.com/olivetin/olivetin
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
2021-05-19.*
2021-05-19.28
2021-05-24.*
2021-05-24.f44
Other
2021-05-25
2021-05-28
2021-07-16
2021-07-19
2021-11-17
2021-11-17-2
2021-11-19
2022-01-06
2022-04-07
2022-10-19
2021-11-02.*
2021-11-02.alpha1-task-arguments
2022.*
2022.11.11
2022.11.14
2023.*
2023.02.16
2023.03.22
2023.03.24
2023.03.24-2
2023.03.24-3
2023.03.24-4
2023.03.25
2023.10.09
2023.10.12
2023.10.24
2023.10.25
2023.12.1
2023.12.17
2023.12.20
2023.12.21
2024.*
2024.02.01
2024.02.27
2024.02.28
2024.03.01
2024.03.05
2024.03.06
2024.03.08
2024.03.081
2024.03.24
2024.04.021
2024.04.09
2024.04.11
2024.04.14
2024.04.18
2024.04.20
2024.04.26
2024.04.261
2024.04.28
2024.05.13
2024.05.24
2024.05.27
2024.05.31
2024.05.51
2024.06.01
2024.06.02
2024.06.04
2024.07.03
2024.07.06
2024.07.07
2024.07.13
2024.07.15
2024.07.152
2024.07.153
2024.07.16
2024.08.14
2024.08.25
2024.08.31
2024.09.02
2024.09.10
2024.09.11
2024.09.16
2024.10.01
2024.10.02
2024.10.14
2024.10.17
2024.10.18
2024.10.26
2024.10.27
2024.11.02
2024.11.09
2024.11.18
2024.11.24
2024.12.11
2025.*
2025.2.19
2025.2.21
2025.3.23
2025.3.28
2025.4.14
2025.4.21
2025.4.22
2025.4.8
2025.5.26
2025.6.1
2025.6.22
2025.6.6
2025.7.13
2025.7.19
3000.*
3000.0.0
3000.0.1
3000.0.2
3000.1.0
3000.1.1
3000.1.2
3000.10.0
3000.10.1
3000.10.2
3000.2.0
3000.2.1
3000.3.0
3000.3.1
3000.3.2
3000.4.0
3000.5.0
3000.6.0
3000.7.0
3000.8.0
3000.9.0
3000.9.1
3000.9.2
3000.9.3
3000.9.4