CVE-2026-28342— OliveTin: Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint

CVSS 7.5 · High EPSS 0.58% · P69 Updated Mar 07, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-28342

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

OliveTin: Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint

Source: NVD (National Vulnerability Database)

Vulnerability Description

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.2, the PasswordHash API endpoint allows unauthenticated users to trigger excessive memory allocation by sending concurrent password hashing requests. By issuing multiple parallel requests, an attacker can exhaust available container memory, leading to service degradation or complete denial of service (DoS). The issue occurs because the endpoint performs computationally and memory-intensive hashing operations without request throttling, authentication requirements, or resource limits. This issue has been patched in version 3000.10.2.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Source: NVD (National Vulnerability Database)

Vulnerability Type

不加限制或调节的资源分配

Source: NVD (National Vulnerability Database)

Vulnerability Title

OliveTin 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

OliveTin是OliveTin开源的一个Web应用。 OliveTin 3000.10.2之前版本存在安全漏洞，该漏洞源于PasswordHash API端点允许未经验证的用户触发过多内存分配，可能导致拒绝服务。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
OliveTin	OliveTin	< 3000.10.2	-

II. Public POCs for CVE-2026-28342

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-28342

Please Login to view more intelligence information

Release 3000.10.2 · OliveTin/OliveTin · GitHubx_refsource_MISC
Unauthenticated DoS via Memory Exhaustion in PasswordHash function · Advisory · OliveTin/OliveTin · GitHubx_refsource_CONFIRM
Next (#905) · OliveTin/OliveTin@2eb5f0b · GitHubx_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2026-28342

Same Patch Batch · OliveTin · 2026-03-05 · 3 CVEs total

CVE-2026-28789	7.5 HIGH	OliveTin: Unauthenticated DoS via concurrent map writes in OAuth2 state handling
CVE-2026-28790	7.5 HIGH	OliveTin: Unauthenticated Action Termination via KillAction When Guests Must Login

IV. Related Vulnerabilities

Same product: OliveTin

Same vendor: OliveTin

Same weakness: CWE-770

V. Comments for CVE-2026-28342

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-28342— OliveTin: Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint

I. Basic Information for CVE-2026-28342

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-28342

III. Intelligence Information for CVE-2026-28342

Same Patch Batch · OliveTin · 2026-03-05 · 3 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-28342

Leave a comment