CVE-2026-28789 Overview
OliveTin is a web-based application that provides access to predefined shell commands through a user-friendly interface. A race condition vulnerability exists in OliveTin's OAuth2 login flow prior to version 3000.10.3. Concurrent requests to the /oauth/login endpoint can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic with a "fatal error: concurrent map writes" message and subsequent process termination. This allows remote, unauthenticated attackers to crash the OliveTin service when OAuth2 authentication is enabled.
Critical Impact
Remote attackers can crash the OliveTin service without authentication by exploiting a race condition in the OAuth2 login flow, causing complete service disruption.
Affected Products
- OliveTin versions prior to 3000.10.3
- OliveTin installations with OAuth2 authentication enabled
Discovery Timeline
- 2026-03-05 - CVE-2026-28789 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-28789
Vulnerability Analysis
This vulnerability is classified as CWE-362 (Race Condition), specifically a concurrent map write issue in Go. The vulnerability exists in the OAuth2 authentication flow where a shared registeredStates map is accessed without proper synchronization primitives. When multiple concurrent requests arrive at the /oauth/login endpoint, the Go runtime detects simultaneous write operations to the same map, triggering a fatal panic that terminates the entire OliveTin process.
The attack requires no authentication and can be exploited remotely over the network. The impact is limited to availability—there is no compromise of data confidentiality or integrity. However, the ease of exploitation and guaranteed service crash make this a significant denial-of-service vector for any OliveTin deployment using OAuth2.
Root Cause
The root cause is the absence of mutex synchronization around access to the registeredStates map in the OAuth2 authentication handler. In Go, maps are not safe for concurrent use—simultaneous read and write operations, or multiple concurrent writes, will cause a runtime panic. The OAuth2 login flow failed to implement proper locking mechanisms (such as sync.Mutex or sync.RWMutex) to serialize access to this shared state.
Attack Vector
The attack vector is straightforward: an attacker sends multiple simultaneous HTTP requests to the /oauth/login endpoint. This can be accomplished using simple tools like curl with parallel execution, or scripted HTTP clients. The race condition is reliably triggered when the concurrent requests attempt to write state entries to the shared map simultaneously. Since the endpoint is unauthenticated (being part of the login flow itself), no credentials are required to execute this attack.
The patch introduces synchronization by adding the sync package import to properly protect map access:
"io"
"net/http"
"os"
+ "sync"
"time"
authTypes "github.com/OliveTin/OliveTin/internal/auth/authpublic"
Source: GitHub Commit f044d90d5525c4c8e3f421b32ed7eff771c22d36
Detection Methods for CVE-2026-28789
Indicators of Compromise
- OliveTin process crashes with "fatal error: concurrent map writes" in logs
- Repeated unexpected service restarts or terminations
- Multiple rapid requests to /oauth/login endpoint from single or multiple source IPs
- Go runtime panic stack traces referencing the OAuth2 authentication module
Detection Strategies
- Monitor OliveTin service logs for Go runtime panic messages containing "concurrent map writes"
- Implement rate limiting or anomaly detection on the /oauth/login endpoint
- Set up process monitoring to alert on unexpected OliveTin service terminations
- Review web server access logs for burst patterns of requests to OAuth2 endpoints
Monitoring Recommendations
- Configure service health monitoring with automatic alerting for OliveTin process crashes
- Implement log aggregation to capture and analyze panic stack traces
- Deploy network-level monitoring to detect unusual request patterns to authentication endpoints
- Consider using a process supervisor to automatically restart crashed services while investigation proceeds
How to Mitigate CVE-2026-28789
Immediate Actions Required
- Upgrade OliveTin to version 3000.10.3 or later immediately
- If immediate upgrade is not possible, consider temporarily disabling OAuth2 authentication
- Implement rate limiting on the /oauth/login endpoint at the reverse proxy or load balancer level
- Monitor service availability and set up automatic restart mechanisms as a temporary measure
Patch Information
This vulnerability has been patched in OliveTin version 3000.10.3. The fix adds proper mutex synchronization using Go's sync package to protect concurrent access to the registeredStates map. Organizations should upgrade to this version or later to remediate the vulnerability. The patch details are available in the GitHub commit and the GitHub Security Advisory GHSA-45m3-398w-m2m9.
Workarounds
- Disable OAuth2 authentication temporarily and use alternative authentication methods if available
- Place OliveTin behind a reverse proxy with aggressive rate limiting on /oauth/login
- Restrict network access to the OliveTin service to trusted IP ranges only
- Implement a process supervisor (such as systemd with restart policies) to automatically recover from crashes
# Example nginx rate limiting configuration for /oauth/login
limit_req_zone $binary_remote_addr zone=oauth_limit:10m rate=5r/s;
location /oauth/login {
limit_req zone=oauth_limit burst=10 nodelay;
proxy_pass http://olivetin_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
