CVE-2026-28790 · OliveTin gives access to predefined shell commands from a web interface.

01 · The Real Story

This is a fire alarm pull station hidden behind a locked lobby door

CVE-2026-28790 is an authorization gap in OliveTin before 3000.11.0. When authRequireGuestsToLogin: true is enabled, guests are correctly blocked from dashboard access, but the KillAction RPC still accepts unauthenticated guest requests and can terminate a running action if the guest can supply a live executionTrackingId. The fix in commit d980418 closes the gap by also disabling default guest kill permission when guest login is required.

The vendor's HIGH 7.5 is technically understandable from a base-CVSS view—network, no auth, no user interaction, availability impact—but it overstates enterprise urgency. In the real world this only matters on exposed OliveTin instances, only when admins explicitly enabled forced login, only while an action is actively running, and only if the attacker knows or can obtain the live tracking ID. That's disruptive, but it's narrow operational DoS, not broad service compromise.

"Easy to trigger, hard to matter at scale: this is an unauthenticated job-kill bug, not a fleet-compromise bug."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a reachable OliveTin web endpoint

An attacker first needs HTTP reachability to an OliveTin instance, typically on the single HTTP frontend or a reverse-proxied path. Commodity recon tools like curl, Shodan, or Censys can help find Internet-exposed admin panels, but OliveTin is a niche self-hosted product rather than a mass-enterprise platform.

Conditions required:

OliveTin is reachable from the attacker's network position
The service is exposed directly or via reverse proxy

Where this breaks in practice:

Many OliveTin deployments are homelab/internal-only and never Internet-facing
Enterprise reverse proxies, VPNs, and network ACLs commonly put this behind private access paths

Detection/coverage: External ASM can flag exposed OliveTin panels if fingerprinted, but coverage is inconsistent because OliveTin is niche and often proxied behind generic web stacks.

STEP 02

Hit the RPC surface as guest

The public PoC uses curl against the API directly. The bug exists specifically when authRequireGuestsToLogin: true is set: dashboard-style methods deny guests, but KillAction still evaluates only the kill ACL path and misses the guest-login gate.

Conditions required:

authRequireGuestsToLogin: true is configured
Target version is earlier than 3000.11.0

Where this breaks in practice:

The vulnerable state is not the universal default deployment; it depends on a specific hardening setting being enabled
Version-only scanners may miss the fact that exploitability also depends on runtime config

Detection/coverage: Application logs can show guest API requests; the GHSA PoC demonstrates GetDashboard denied for guest while KillAction still succeeds.

STEP 03

Obtain a live executionTrackingId

The attacker cannot kill an arbitrary future job blindly; they need the active executionTrackingId for a running action. In the advisory PoC this is known because the researcher started the action themselves as admin, but in a real attack this often means guessing a predictable value, observing logs, shoulder-surfing operator workflows, or exploiting adjacent information leakage.

Conditions required:

A long-running action is currently executing
The attacker knows or can derive a valid live executionTrackingId

Where this breaks in practice:

No running action means no impact window
Tracking IDs are an additional exploit prerequisite that sharply narrows abuse in practice
Many actions are short-lived, shrinking the race window

Detection/coverage: Network scanners do not validate this prerequisite. Detection is mainly log-based: correlate StartAction and guest KillAction calls using the same tracking ID.

STEP 04

Terminate the job with KillAction

With a valid tracking ID, a simple unauthenticated POST to /api/KillAction can terminate the running action. The result is operational disruption—stopped maintenance, interrupted backups, aborted deployment jobs, or failed service-control tasks—not code execution or tenant takeover.

Conditions required:

Kill permission still resolves as allowed for guest/default path
The running action has not already completed

Where this breaks in practice:

Blast radius is limited to active jobs on that OliveTin instance
No confidentiality or integrity break is demonstrated by this CVE

Detection/coverage: Expect HTTP/API logs showing guest KillAction requests and OliveTin logs showing the action killed/finished with abnormal exit.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public exploitation evidence found, and not listed in CISA KEV as of 2026-06-02. That lowers urgency materially.
Proof-of-concept availability	Yes. The public GitHub advisory itself includes a working `curl` PoC and a reproducible Docker setup for `3000.10.2`.
EPSS	`0.00116` (about 0.12%). Public mirrors place it around the 29th-30th percentile, which is consistent with easy bug, weak attacker demand.
KEV status	No KEV listing found in CISA's catalog as of 2026-06-02.
CVSS vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` — the score is driven entirely by availability. There is no C/I impact in the published advisory.
Affected versions	Vendor/advisory sources state OliveTin before `3000.11.0` is affected; Go package metadata maps this to `< 0.0.0-20260302002902-d9804182eae4`.
Fixed version	Fixed in `3000.11.0`. The patch adds `DefaultPermissions.Kill = false` when `authRequireGuestsToLogin` is enabled.
Exploit preconditions that matter	Reachable OliveTin endpoint, `authRequireGuestsToLogin: true`, a currently running action, and knowledge of a live `executionTrackingId`. Those last two are the real downgrade drivers.
Scanning / exposure reality	I found no reliable public Internet-scale fingerprint/count for OliveTin tied to this CVE. Treat exposure as likely small and niche, and rely on your own ASM/CMDB rather than assuming broad Internet prevalence.
Disclosure / reporter	GitHub advisory published 2026-03-02, NVD published 2026-03-05, patch released in `3000.11.0`. The release notes thank `@kule500` for responsible disclosure.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (4.8/10)

The decisive downgrade factor is that exploitation requires a live running job plus a valid executionTrackingId, which turns a nominally unauthenticated network flaw into a narrow timing-dependent operational nuisance. This is not the kind of bug attackers can spray across 10,000 hosts for broad compromise; its blast radius stays bounded to active jobs on reachable OliveTin instances.

HIGH Technical root cause and fixed version

MEDIUM Real-world exposure prevalence of Internet-facing OliveTin

HIGH Downgrade rationale versus vendor CVSS

Why this verdict

Vendor score assumes worst-case availability impact but the published impact is only unauthorized termination of currently running actions—no RCE, no data theft, no account takeover.
Attacker position is narrower than CVSS implies: while technically unauthenticated remote, the practical population is only reachable OliveTin instances, which is a niche product with limited enterprise exposure compared with mainstream admin platforms.
Exploitability depends on runtime conditions: the target must have authRequireGuestsToLogin: true, an action must be actively running, and the attacker must know or obtain the live executionTrackingId.
Modern controls reduce reachability: VPNs, reverse proxies, internal-only placement, and network ACLs should block the first step in many real deployments.
Threat intel is quiet: no KEV listing, no public exploitation evidence found, and very low EPSS all argue against treating this like a hot operational emergency.

Why not higher?

If this let unauthenticated users start commands, alter configuration, or read logs, the score would jump immediately. It doesn't. The attacker can only stop a live action, and only after clearing several narrowing prerequisites that most commodity exploitation workflows won't reliably satisfy.

Why not lower?

This still deserves attention because the exploit is simple once the prerequisites line up, and the advisory includes a public PoC. In environments using OliveTin for maintenance, backup, or deployment workflows, killing a running action can have real operational consequences even without code execution.

05 · Compensating Control

What to do — in priority order.

Restrict network reachability — Put OliveTin behind VPN, SSO proxy, source-IP allowlists, or internal-only routing so unauthenticated Internet users never touch the RPC surface. For a MEDIUM verdict there is no noisgate mitigation SLA; do this as standard hardening while you work toward patching within the 365-day remediation window.
Block guest access at the reverse proxy — If OliveTin must stay reachable, enforce authentication at the reverse proxy for the entire app path, including RPC endpoints, instead of relying on app-only guest restrictions. Again, no mitigation SLA applies at MEDIUM; implement as a defense-in-depth control on your normal hardening cycle.
Watch for guest KillAction usage — Alert on OliveTin or proxy logs where username="guest" or unauthenticated sessions hit KillAction, especially immediately after a StartAction. This is cheap detective coverage and helps validate whether the bug is being poked before you finish remediation.
Reduce exposure of tracking identifiers — Avoid predictable or operator-shared tracking IDs in workflows and limit where execution identifiers are exposed in logs, dashboards, or chat integrations. This does not fix the bug, but it increases attacker friction by protecting the key prerequisite.

What doesn't work

MFA does not help against this specific path because the attack is unauthenticated guest-to-RPC, not stolen-user-login abuse.
EDR on the OliveTin host is not a primary control here because the attacker is abusing intended API behavior to terminate jobs, not dropping malware.
Dashboard-only access restrictions are exactly what failed here; the bug lives in the action-control RPC path, not the visible UI.

06 · Verification

Crowdsourced verification payload.

Run this on the OliveTin host or container host where you can read the OliveTin binary/package metadata and the active config.yaml. Invoke it as bash check_cve_2026_28790.sh /path/to/config.yaml — for example, bash check_cve_2026_28790.sh /etc/OliveTin/config.yaml. Read access to the config file is required; root is only needed if the file or container metadata is restricted.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_cve_2026_28790.sh
# Detect likely exposure to CVE-2026-28790 in OliveTin.
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN

set -u

CONFIG_PATH="${1:-/etc/OliveTin/config.yaml}"
VERSION=""
AUTH_REQ=""

verlte() {
  [ "$1" = "$2" ] && return 0
  [  "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" = "$1" ]
}

find_version() {
  if command -v olivetin >/dev/null 2>&1; then
    VERSION=$(olivetin --version 2>/dev/null | grep -Eo '[0-9]{4}\.[0-9]+\.[0-9]+' | head -n1)
    if [ -n "$VERSION" ]; then
      return 0
    fi
  fi

  if command -v docker >/dev/null 2>&1; then
    VERSION=$(docker ps --format '{{.Image}}' 2>/dev/null | grep -Eo 'olivetin[:@][^ ]+' | grep -Eo '[0-9]{4}\.[0-9]+\.[0-9]+' | head -n1)
    if [ -n "$VERSION" ]; then
      return 0
    fi
  fi

  return 1
}

find_auth_setting() {
  if [ -r "$CONFIG_PATH" ]; then
    AUTH_REQ=$(grep -Ei '^[[:space:]]*authRequireGuestsToLogin[[:space:]]*:' "$CONFIG_PATH" | tail -n1 | awk -F: '{gsub(/[[:space:]]/,"",$2); print tolower($2)}')
    return 0
  fi

  if [ -r /config/config.yaml ]; then
    CONFIG_PATH=/config/config.yaml
    AUTH_REQ=$(grep -Ei '^[[:space:]]*authRequireGuestsToLogin[[:space:]]*:' "$CONFIG_PATH" | tail -n1 | awk -F: '{gsub(/[[:space:]]/,"",$2); print tolower($2)}')
    return 0
  fi

  return 1
}

find_version || true
find_auth_setting || true

if [ -z "$VERSION" ]; then
  echo "UNKNOWN - could not determine OliveTin version"
  exit 2
fi

if ! [[ "$VERSION" =~ ^[0-9]{4}\.[0-9]+\.[0-9]+$ ]]; then
  echo "UNKNOWN - unrecognized OliveTin version format: $VERSION"
  exit 2
fi

if verlte "$VERSION" "3000.10.999"; then
  VERSION_VULN=true
else
  VERSION_VULN=false
fi

if [ -z "$AUTH_REQ" ]; then
  echo "UNKNOWN - version=$VERSION but could not read authRequireGuestsToLogin from config"
  exit 2
fi

if [ "$VERSION_VULN" = true ] && [ "$AUTH_REQ" = "true" ]; then
  echo "VULNERABLE - OliveTin $VERSION with authRequireGuestsToLogin=true"
  exit 1
fi

if [ "$VERSION_VULN" = false ]; then
  echo "PATCHED - OliveTin $VERSION is >= 3000.11.0"
  exit 0
fi

if [ "$AUTH_REQ" != "true" ]; then
  echo "PATCHED - OliveTin $VERSION is in vulnerable range, but authRequireGuestsToLogin is not enabled so this CVE path is not exposed"
  exit 0
fi

echo "UNKNOWN - unable to make a final determination"
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: identify every OliveTin instance, confirm whether it is Internet-reachable, and specifically flag any host still below 3000.11.0 with authRequireGuestsToLogin: true. Because this is MEDIUM, there is no noisgate mitigation SLA — go straight to the 365-day remediation window; use normal hardening to restrict reachability in the meantime, and complete the actual upgrade under the noisgate remediation SLA of ≤365 days.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.