CVE-2026-28789
Received Received - Intake
Unauthenticated DoS via OAuth2 Login Race in OliveTin

Publication date: 2026-03-05

Last updated on: 2026-03-10

Assigner: GitHub, Inc.

Description
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin’s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28789
EUVD
EUVD-2026-9873
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
olivetin olivetin to 3000.10.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
CWE-662 The product utilizes multiple threads, processes, components, or systems to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-28789 is a vulnerability in OliveTin's OAuth2 login flow where concurrent requests to the /oauth/login endpoint cause unsynchronized access to a shared map named registeredStates. This map tracks OAuth2 login states but lacks proper synchronization, leading to concurrent map writes."}, {'type': 'paragraph', 'content': "Because Go's HTTP handlers run concurrently, multiple simultaneous requests can trigger a race condition that causes a runtime panic with the error 'fatal error: concurrent map writes'. This panic crashes the OliveTin service process, resulting in a denial-of-service (DoS) condition."}, {'type': 'paragraph', 'content': 'The vulnerability is unauthenticated and can be exploited remotely by sending many concurrent requests to the OAuth2 login endpoint. It was fixed by adding mutex locks to synchronize access to the shared map, preventing concurrent writes and ensuring thread safety.'}] [1, 2]

Impact Analysis

This vulnerability can cause the OliveTin service to crash unexpectedly when OAuth2 login is enabled and the /oauth/login endpoint receives concurrent requests.

An attacker can exploit this remotely without authentication by sending many simultaneous requests, triggering a race condition that leads to a runtime panic and process termination.

The impact is a denial-of-service (DoS) condition, causing loss of availability of the OliveTin service until it is manually restarted or recovered.

  • No confidentiality or integrity impact.
  • High availability impact due to service crashes.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for crashes or runtime panics in the OliveTin service related to concurrent map writes in the OAuth2 login flow.'}, {'type': 'paragraph', 'content': 'Specifically, look for log entries indicating a Go runtime panic with the error message "fatal error: concurrent map writes" originating from the OAuth2 handler code.'}, {'type': 'paragraph', 'content': 'A practical detection method involves sending a high volume of concurrent HTTP requests to the /oauth/login endpoint and observing if the service crashes or logs the fatal error.'}, {'type': 'paragraph', 'content': 'For example, using a tool like curl or a custom script to generate concurrent requests to /oauth/login can help reproduce the issue if the service is vulnerable.'}, {'type': 'list_item', 'content': 'Use a command or script to send many concurrent requests to the /oauth/login endpoint, such as a Python script with multiple workers.'}, {'type': 'list_item', 'content': 'Monitor the OliveTin service logs for runtime panics or fatal errors mentioning "concurrent map writes".'}, {'type': 'list_item', 'content': 'Check the service status to see if it crashes or terminates unexpectedly after such requests.'}] [2]

Mitigation Strategies

The immediate mitigation step is to upgrade OliveTin to version 3000.10.3 or later, where the vulnerability has been patched.

The patch introduces proper concurrency control using mutex locks to prevent concurrent map writes in the OAuth2 login flow.

If upgrading immediately is not possible, consider disabling OAuth2 login functionality temporarily to prevent exploitation.

Additionally, monitor the service for crashes and restart it if necessary until the patch can be applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28789. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart