Unauthenticated Denial-of-Service Vulnerability in OliveTin OAuth2 Login
CVE-2026-28789

7.5HIGH

Key Information:

Vendor: Olivetin
Status: Olivetin
Vendor: CVE Published:; 5 March 2026

What is CVE-2026-28789?

OliveTin's OAuth2 login flow is susceptible to an unauthenticated denial-of-service vulnerability. Before version 3000.10.3, the service's handling of concurrent requests to the /oauth/login endpoint could lead to a Go runtime panic due to unsynchronized access to a shared resource. Attackers could exploit this flaw by sending simultaneous login requests which would trigger a failure in the application, effectively causing it to crash when OAuth2 is enabled. This vulnerability has been addressed in the latest version, making it crucial for users to upgrade to maintain service integrity.

Affected Version(s)

OliveTin < 3000.10.3

References

https://github.com/OliveTin/OliveTin/security/advisories/...

x_refsource_CONFIRM

https://github.com/OliveTin/OliveTin/commit/f044d90d5525c...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 5, 2026
Vulnerability Reserved
Mar 3, 2026

CVE-2026-28789 Data

JSON

Olivetin

What is CVE-2026-28789?

Affected Version(s)

References

CVSS V3.1

Timeline