Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-28342 is a high-severity unauthenticated Denial of Service (DoS) vulnerability in the OliveTin project's PasswordHash API endpoint. This endpoint accepts password hashing requests without requiring authentication or limiting the number of concurrent requests."}, {'type': 'paragraph', 'content': "Because the hashing function is computationally and memory intensive, an attacker can send many parallel requests to exhaust the server's memory resources. For example, 50 parallel requests can consume about 3.2 GB of RAM, causing service instability or container termination."}, {'type': 'paragraph', 'content': 'The root cause is the lack of request throttling, authentication, or resource limits on this endpoint, allowing uncontrolled resource consumption leading to denial of service.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a denial of service by exhausting the available memory of the container or server running OliveTin. An attacker can cause service degradation or complete outage by sending multiple concurrent password hashing requests.

In production environments, especially those without reverse proxy rate limiting, this can cause the service to crash or the container to terminate, resulting in loss of availability.

Since no authentication or user interaction is required, remote attackers can exploit this vulnerability easily over the network.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for multiple concurrent POST requests to the PasswordHash API endpoint at /api/olivetin.api.v1.OliveTinApiService/PasswordHash. Excessive parallel requests to this endpoint may cause unusually high memory usage and service instability.'}, {'type': 'paragraph', 'content': 'You can use network monitoring or web server logs to identify a high volume of POST requests targeting this endpoint without authentication.'}, {'type': 'paragraph', 'content': 'Example commands to detect such activity include:'}, {'type': 'list_item', 'content': 'Using curl in a loop to simulate or detect concurrent requests: for i in {1..50}; do curl -X POST -H \'Content-Type: application/json\' -d \'{"password":"test"}\' http://yourserver/api/olivetin.api.v1.OliveTinApiService/PasswordHash & done'}, {'type': 'list_item', 'content': 'Using netstat or ss to monitor active connections to the server on the relevant port.'}, {'type': 'list_item', 'content': 'Checking web server access logs for repeated POST requests to the PasswordHash endpoint.'}, {'type': 'list_item', 'content': 'Using monitoring tools to observe memory usage spikes correlated with requests to the vulnerable endpoint.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation is to upgrade OliveTin to version 3000.10.2 or later, where the vulnerability has been patched.

The patch introduces a 10-slot semaphore around password hash functions to limit concurrent resource usage, preventing excessive memory consumption and denial of service.

If upgrading immediately is not possible, consider implementing rate limiting or request throttling at the reverse proxy level (e.g., Nginx, Traefik) to restrict the number of concurrent requests to the PasswordHash API endpoint.

Additionally, monitor and restrict unauthenticated access to this endpoint to reduce the risk of exploitation.

Useful 0 Not Useful 0