CVE-2026-28342

Name of the Vulnerable Software and Affected Versions OliveTin versions prior to 3000.10.2

Description The PasswordHash API endpoint allows unauthenticated users to trigger excessive memory allocation by sending concurrent password hashing requests. Issuing multiple parallel requests can exhaust available container memory, leading to service degradation or a denial of service (DoS). The issue occurs because the endpoint performs computationally and memory-intensive hashing operations without request throttling, authentication requirements, or resource limits. The vulnerable endpoint is POST /api/olivetin.api.v1.OliveTinApiService/PasswordHash, which accepts a JSON body containing a password field. Each request triggers a memory-intensive hashing operation. In a test environment, 50 concurrent requests resulted in approximately 3.2 GB of memory usage. This allows unauthenticated attackers to perform a denial of service attack by exhausting server memory resources.

Recommendations Versions prior to 3000.10.2 should be updated to version 3000.10.2 or later.