{"id":"CVE-2026-28789","summary":"OliveTin: Unauthenticated DoS via concurrent map writes in OAuth2 state handling","details":"OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin’s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3.","aliases":["GHSA-45m3-398w-m2m9","GO-2026-4586"],"modified":"2026-04-10T05:41:26.859523Z","published":"2026-03-05T19:33:46.924Z","related":["SUSE-SU-2026:1042-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28789.json","cwe_ids":["CWE-362","CWE-400","CWE-662"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28789.json"},{"type":"ADVISORY","url":"https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28789"},{"type":"FIX","url":"https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c22d36"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/OliveTin/OliveTin","events":[{"introduced":"0"},{"last_affected":"2eb5f0ba79d4bbef3c802bf8b4666a7e18dcfd90"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3000.10.2"}]}},{"type":"GIT","repo":"https://github.com/olivetin/olivetin","events":[{"introduced":"0"},{"fixed":"f044d90d5525c4c8e3f421b32ed7eff771c22d36"}]}],"versions":["2021-05-19.28","2021-05-24.f44","2021-05-25","2021-05-28","2021-07-16","2021-07-19","2021-11-02.alpha1-task-arguments","2021-11-17","2021-11-17-2","2021-11-19","2022-01-06","2022-04-07","2022-10-19","2022.11.11","2022.11.14","2023.02.16","2023.03.22","2023.03.24","2023.03.24-2","2023.03.24-3","2023.03.24-4","2023.03.25","2023.10.09","2023.10.12","2023.10.24","2023.10.25","2023.12.1","2023.12.17","2023.12.20","2023.12.21","2024.02.01","2024.02.27","2024.02.28","2024.03.01","2024.03.05","2024.03.06","2024.03.08","2024.03.081","2024.03.24","2024.04.021","2024.04.09","2024.04.11","2024.04.14","2024.04.18","2024.04.20","2024.04.26","2024.04.261","2024.04.28","2024.05.13","2024.05.24","2024.05.27","2024.05.31","2024.05.51","2024.06.01","2024.06.02","2024.06.04","2024.07.03","2024.07.06","2024.07.07","2024.07.13","2024.07.15","2024.07.152","2024.07.153","2024.07.16","2024.08.14","2024.08.25","2024.08.31","2024.09.02","2024.09.10","2024.09.11","2024.09.16","2024.10.01","2024.10.02","2024.10.14","2024.10.17","2024.10.18","2024.10.26","2024.10.27","2024.11.02","2024.11.09","2024.11.18","2024.11.24","2024.12.11","2025.2.19","2025.2.21","2025.3.23","2025.3.28","2025.4.14","2025.4.21","2025.4.22","2025.4.8","2025.5.26","2025.6.1","2025.6.22","2025.6.6","2025.7.13","2025.7.19","3000.0.0","3000.0.1","3000.0.2","3000.1.0","3000.1.1","3000.1.2","3000.10.0","3000.10.1","3000.10.2","3000.2.0","3000.2.1","3000.3.0","3000.3.1","3000.3.2","3000.4.0","3000.5.0","3000.6.0","3000.7.0","3000.8.0","3000.9.0","3000.9.1","3000.9.2","3000.9.3","3000.9.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28789.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}