CVE-2026-28790

Name of the Vulnerable Software and Affected Versions OliveTin versions prior to 3000.11.0

Description OliveTin allows an unauthenticated guest to terminate running actions through the KillAction Remote Procedure Call (RPC) even when authRequireGuestsToLogin: true is enabled. Guests are blocked from dashboard access, but can still directly call the KillAction RPC and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions. The issue is caused by inconsistent authorization enforcement between dashboard access and action-control RPCs. Specifically, the KillAction() function authenticates the caller and applies only the per-action kill Access Control List (ACL) check, but does not enforce the guest login requirement. When authRequireGuestsToLogin is enabled, configuration sanitization disables guest view, execution, and logs permissions, but leaves kill unchanged. As a result, an unauthenticated guest user can satisfy the IsAllowedKill() check and terminate actions. The /api/KillAction API endpoint is vulnerable, accepting the executionTrackingId variable to terminate actions. This can lead to disruption of long-running administrative or operational workflows.

Recommendations Versions prior to 3000.11.0 should be updated to version 3000.11.0 or later.