Vulnerability Description
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. Guests are correctly blocked from dashboard access, but can still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions. This issue has been patched in version 3000.11.0.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Olivetin | Olivetin | < 3000.11.0 |
Related Weaknesses (CWE)
References
- https://github.com/OliveTin/OliveTin/commit/d9804182eae43cf49f735e6533ddbe1541c2Patch
- https://github.com/OliveTin/OliveTin/releases/tag/3000.11.0ProductRelease Notes
- https://github.com/OliveTin/OliveTin/security/advisories/GHSA-4fqm-6fmh-82mqExploitVendor Advisory
- https://github.com/OliveTin/OliveTin/security/advisories/GHSA-4fqm-6fmh-82mqExploitVendor Advisory
FAQ
What is CVE-2026-28790?
CVE-2026-28790 is a vulnerability with a CVSS score of 7.5 (HIGH). OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when ...
How severe is CVE-2026-28790?
CVE-2026-28790 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-28790?
Check the references section above for vendor advisories and patch information. Affected products include: Olivetin Olivetin.