CVE-2026-28342 Overview
OliveTin is a web interface that provides access to predefined shell commands. A denial of service vulnerability exists in the PasswordHash API endpoint that allows unauthenticated attackers to exhaust container memory by sending concurrent password hashing requests. This resource exhaustion flaw (CWE-400) enables attackers to degrade service performance or cause complete service unavailability.
Critical Impact
Unauthenticated attackers can cause denial of service by exploiting the lack of request throttling and resource limits on the memory-intensive password hashing endpoint.
Affected Products
- OliveTin versions prior to 3000.10.2
Discovery Timeline
- 2026-03-05 - CVE CVE-2026-28342 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-28342
Vulnerability Analysis
This vulnerability targets the PasswordHash API endpoint in OliveTin, which performs Argon2id password hashing operations. The endpoint lacks fundamental security controls including authentication requirements, request rate limiting, and resource consumption boundaries. When an attacker issues multiple parallel requests to this endpoint, each request triggers a computationally and memory-intensive hashing operation. The cumulative effect of concurrent operations quickly exhausts the available container memory, resulting in service degradation or complete denial of service.
The underlying issue stems from the use of Argon2id with memory parameters (64 * 1024 KB per operation) without any concurrency controls. In containerized environments where memory is typically constrained, this becomes particularly dangerous as memory exhaustion can crash the entire container.
Root Cause
The root cause is the absence of concurrency limits on the password hashing endpoint. The Argon2id algorithm is intentionally memory-hard to resist brute-force attacks, but this characteristic becomes a vulnerability when exposed to unauthenticated concurrent requests. Without request throttling or a semaphore to limit parallel operations, attackers can amplify resource consumption linearly with each additional concurrent request.
Attack Vector
The attack can be executed remotely over the network without any authentication or user interaction. An attacker simply needs to identify the PasswordHash API endpoint and issue multiple concurrent HTTP requests. The attack is low-complexity and requires no special privileges, making it accessible to unsophisticated threat actors. The impact is limited to availability—there is no confidentiality or integrity breach.
The fix introduces a semaphore-based concurrency limiter that restricts password hashing operations to a maximum of 10 concurrent requests:
package api
import (
"errors"
"runtime"
config "github.com/OliveTin/OliveTin/internal/config"
"github.com/alexedwards/argon2id"
log "github.com/sirupsen/logrus"
)
var ErrArgon2Busy = errors.New("too many concurrent password operations")
const argon2MaxConcurrent = 10
var argon2Sem = make(chan struct{}, argon2MaxConcurrent)
var defaultParams = argon2id.Params{
Memory: 64 * 1024,
Iterations: 4,
Source: GitHub Commit Update
Detection Methods for CVE-2026-28342
Indicators of Compromise
- Sudden spikes in memory utilization on containers running OliveTin
- High volume of concurrent requests to the PasswordHash API endpoint from single or multiple source IPs
- OliveTin service crashes or restarts due to out-of-memory (OOM) conditions
- HTTP 503 or timeout responses from the OliveTin web interface during suspected attack windows
Detection Strategies
- Implement network-level monitoring for abnormal request rates to the OliveTin PasswordHash endpoint
- Configure container orchestration alerts for memory threshold violations on OliveTin pods
- Deploy web application firewall (WAF) rules to detect and block rapid concurrent requests to authentication endpoints
- Review OliveTin and container runtime logs for patterns indicating memory exhaustion or OOM kills
Monitoring Recommendations
- Enable container resource monitoring with alerts for memory usage exceeding 80% of allocated limits
- Implement request logging for the PasswordHash API endpoint to establish baseline traffic patterns
- Configure rate limiting at the reverse proxy or load balancer level as an additional defense layer
- Monitor for repeated failed authentication attempts that may indicate exploitation or reconnaissance
How to Mitigate CVE-2026-28342
Immediate Actions Required
- Upgrade OliveTin to version 3000.10.2 or later immediately
- If immediate upgrade is not possible, restrict network access to the OliveTin interface to trusted IP ranges
- Implement rate limiting at the reverse proxy or load balancer for the PasswordHash endpoint
- Increase container memory limits temporarily while preparing for the upgrade
Patch Information
The vulnerability has been patched in OliveTin version 3000.10.2. The fix implements a semaphore-based concurrency limiter (argon2MaxConcurrent = 10) that restricts the number of simultaneous password hashing operations. When the limit is reached, additional requests receive an ErrArgon2Busy error, preventing resource exhaustion.
For detailed patch information, see:
Workarounds
- Place OliveTin behind a reverse proxy with rate limiting configured for all authentication endpoints
- Restrict access to the OliveTin web interface using network firewall rules or IP allowlists
- Deploy OliveTin containers with appropriate memory limits and restart policies to minimize downtime during attacks
- Consider disabling the PasswordHash endpoint if not actively used until the upgrade can be completed
# Example nginx rate limiting configuration for OliveTin
limit_req_zone $binary_remote_addr zone=olivetin_auth:10m rate=5r/s;
location /api/PasswordHash {
limit_req zone=olivetin_auth burst=10 nodelay;
proxy_pass http://olivetin:1337;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
