CVE-2026-28789

Name of the Vulnerable Software and Affected Versions OliveTin versions prior to 3000.10.3

Description OliveTin is susceptible to a denial-of-service condition stemming from an unsynchronized access issue within its OAuth2 login flow. Concurrent requests to the /oauth/login API endpoint can trigger a Go runtime panic, specifically a 'concurrent map writes' error, leading to process termination. This allows a remote, unauthenticated attacker to crash the service when OAuth2 is enabled. The issue arises from unsynchronized access to a shared registeredStates map. The vulnerable code paths include unlocked reads and writes in the login handler, callback check, callback flow, and authentication chain check. The API endpoints involved are /oauth/login and /oauth/callback.

Recommendations Versions prior to 3000.10.3 should be updated to version 3000.10.3 or later.