CVE-2026-28790 Overview
OliveTin is a web-based application that provides access to predefined shell commands from a user-friendly web interface. A broken access control vulnerability exists in OliveTin versions prior to 3000.11.0 that allows unauthenticated guests to terminate running actions through the KillAction RPC endpoint, even when the authRequireGuestsToLogin: true configuration option is enabled. While guests are correctly blocked from dashboard access, they can still directly call the KillAction RPC and successfully stop running actions, resulting in an unauthorized denial of service condition against legitimate action executions.
Critical Impact
Unauthenticated attackers can remotely terminate any running action in OliveTin, causing denial of service against legitimate operations without requiring any authentication credentials.
Affected Products
- OliveTin versions prior to 3000.11.0
Discovery Timeline
- 2026-03-05 - CVE CVE-2026-28790 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-28790
Vulnerability Analysis
This vulnerability represents a classic broken access control issue (CWE-284) where authentication enforcement is inconsistent across different application endpoints. While OliveTin correctly implements access control for the main dashboard when authRequireGuestsToLogin: true is configured, the KillAction RPC endpoint lacks the same authentication checks. This inconsistency allows unauthenticated users to bypass the intended security controls and interact with critical functionality that should be restricted to authenticated users.
The vulnerability enables a network-based attacker to cause denial of service conditions without any user interaction or special privileges. The impact is limited to availability, as the attacker cannot read or modify data, but can disrupt ongoing operations by terminating legitimate actions.
Root Cause
The root cause lies in incomplete permission enforcement in the default permission configuration. When the authRequireGuestsToLogin setting is enabled, the application correctly sets View, Exec, and Logs permissions to false for guests, but fails to also disable the Kill permission. This oversight allows guests to invoke the KillAction RPC endpoint despite being blocked from other dashboard functionality.
Attack Vector
An attacker can exploit this vulnerability by directly calling the KillAction RPC endpoint without authentication. The attack requires network access to the OliveTin web interface but does not require any credentials, user interaction, or special privileges. The attacker simply needs to identify an active action and send a request to the KillAction endpoint to terminate it, disrupting legitimate operations.
// Security patch showing the fix - added Kill permission enforcement
cfg.DefaultPermissions.View = false
cfg.DefaultPermissions.Exec = false
cfg.DefaultPermissions.Logs = false
+ cfg.DefaultPermissions.Kill = false
}
}
Source: GitHub Commit Changes
Detection Methods for CVE-2026-28790
Indicators of Compromise
- Unexpected termination of running OliveTin actions without corresponding authenticated user activity
- HTTP requests to the KillAction RPC endpoint from unauthenticated sessions or unknown IP addresses
- Sudden increases in action failure rates or interrupted workflows
- Web server logs showing RPC calls without valid authentication tokens
Detection Strategies
- Monitor OliveTin logs for KillAction invocations that lack associated authenticated user sessions
- Implement network monitoring to detect unauthorized access attempts to the OliveTin web interface
- Review access logs for patterns indicating systematic action termination attacks
- Configure alerting on anomalous action termination events outside normal operational windows
Monitoring Recommendations
- Enable detailed logging for all RPC endpoints in OliveTin to capture authentication status for each request
- Set up alerts for action terminations that occur without corresponding user authentication
- Monitor network traffic to the OliveTin service for unusual patterns or high volumes of KillAction requests
- Regularly audit permission configurations to ensure Kill permissions are properly restricted
How to Mitigate CVE-2026-28790
Immediate Actions Required
- Upgrade OliveTin to version 3000.11.0 or later immediately
- If immediate upgrade is not possible, restrict network access to the OliveTin web interface to trusted networks only
- Review logs for any evidence of exploitation or unauthorized action terminations
- Consider temporarily disabling guest access entirely until the patch can be applied
Patch Information
OliveTin has released version 3000.11.0 which addresses this vulnerability by ensuring the Kill permission is properly set to false when authRequireGuestsToLogin is enabled. The patch adds the missing permission enforcement in the configuration sanitization logic. Users should upgrade to this version or later to fully remediate the vulnerability.
For detailed patch information, see the GitHub Security Advisory GHSA-4fqm-6fmh-82mq and the release notes for version 3000.11.0.
Workarounds
- Restrict network access to the OliveTin service using firewall rules to limit exposure to trusted IP ranges only
- Place OliveTin behind a reverse proxy with additional authentication requirements
- Disable guest access entirely by removing any guest-accessible configurations until the patch is applied
- Monitor and alert on KillAction endpoint usage to detect potential exploitation attempts
# Example: Restrict OliveTin access using iptables
# Only allow access from trusted internal network
iptables -A INPUT -p tcp --dport 1337 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 1337 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
