{"id":"CVE-2026-28790","summary":"OliveTin: Unauthenticated Action Termination via KillAction When Guests Must Login","details":"OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. Guests are correctly blocked from dashboard access, but can still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions. This issue has been patched in version 3000.11.0.","aliases":["GHSA-4fqm-6fmh-82mq","GO-2026-4587"],"modified":"2026-04-10T05:41:25.730405Z","published":"2026-03-05T19:34:53.951Z","related":["SUSE-SU-2026:1042-1"],"database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28790.json","cwe_ids":["CWE-284","CWE-862","CWE-863"]},"references":[{"type":"WEB","url":"https://github.com/OliveTin/OliveTin/releases/tag/3000.11.0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28790.json"},{"type":"ADVISORY","url":"https://github.com/OliveTin/OliveTin/security/advisories/GHSA-4fqm-6fmh-82mq"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28790"},{"type":"FIX","url":"https://github.com/OliveTin/OliveTin/commit/d9804182eae43cf49f735e6533ddbe1541c2b9a9"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/OliveTin/OliveTin","events":[{"introduced":"0"},{"fixed":"235493e471249b07cf20abdf5850f9ba38d8effa"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3000.11.0"}]}},{"type":"GIT","repo":"https://github.com/olivetin/olivetin","events":[{"introduced":"0"},{"fixed":"d9804182eae43cf49f735e6533ddbe1541c2b9a9"},{"fixed":"235493e471249b07cf20abdf5850f9ba38d8effa"}]}],"versions":["2021-05-19.28","2021-05-24.f44","2021-05-25","2021-05-28","2021-07-16","2021-07-19","2021-11-02.alpha1-task-arguments","2021-11-17","2021-11-17-2","2021-11-19","2022-01-06","2022-04-07","2022-10-19","2022.11.11","2022.11.14","2023.02.16","2023.03.22","2023.03.24","2023.03.24-2","2023.03.24-3","2023.03.24-4","2023.03.25","2023.10.09","2023.10.12","2023.10.24","2023.10.25","2023.12.1","2023.12.17","2023.12.20","2023.12.21","2024.02.01","2024.02.27","2024.02.28","2024.03.01","2024.03.05","2024.03.06","2024.03.08","2024.03.081","2024.03.24","2024.04.021","2024.04.09","2024.04.11","2024.04.14","2024.04.18","2024.04.20","2024.04.26","2024.04.261","2024.04.28","2024.05.13","2024.05.24","2024.05.27","2024.05.31","2024.05.51","2024.06.01","2024.06.02","2024.06.04","2024.07.03","2024.07.06","2024.07.07","2024.07.13","2024.07.15","2024.07.152","2024.07.153","2024.07.16","2024.08.14","2024.08.25","2024.08.31","2024.09.02","2024.09.10","2024.09.11","2024.09.16","2024.10.01","2024.10.02","2024.10.14","2024.10.17","2024.10.18","2024.10.26","2024.10.27","2024.11.02","2024.11.09","2024.11.18","2024.11.24","2024.12.11","2025.2.19","2025.2.21","2025.3.23","2025.3.28","2025.4.14","2025.4.21","2025.4.22","2025.4.8","2025.5.26","2025.6.1","2025.6.22","2025.6.6","2025.7.13","2025.7.19","3000.0.0","3000.0.1","3000.0.2","3000.1.0","3000.1.1","3000.1.2","3000.10.0","3000.10.1","3000.10.2","3000.2.0","3000.2.1","3000.3.0","3000.3.1","3000.3.2","3000.4.0","3000.5.0","3000.6.0","3000.7.0","3000.8.0","3000.9.0","3000.9.1","3000.9.2","3000.9.3","3000.9.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28790.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}