CVE-2026-28342
HIGH7.5EPSS 0.61%OliveTin has Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint
Description
## Summary The PasswordHash API endpoint allows unauthenticated users to trigger excessive memory allocation by sending concurrent password hashing requests. By issuing multiple parallel requests, an attacker can exhaust available container memory, leading to service degradation or complete denial of service (DoS). The issue occurs because the endpoint performs computationally and memory-intensive hashing operations without request throttling, authentication requirements, or resource limits. ## Details The vulnerable endpoint: `POST /api/olivetin.api.v1.OliveTinApiService/PasswordHash` accepts a JSON body containing a password field and returns a computed password hash. Each request triggers a memory-intensive hashing operation. When multiple concurrent requests are sent, memory consumption increases significantly. There are no safeguards such as: - Authentication requirements - Rate limiting - Request throttling - Memory usage caps per request - Concurrency controls As a result, an attacker can repeatedly invoke the endpoint in parallel, causing excessive RAM allocation inside the container. In a test environment, 50 concurrent requests resulted in approximately 3.2 GB of memory usage (≈64 MB per request), leading to service instability. This behavior allows unauthenticated attackers to perform a denial of service attack by exhausting server memory resources. ## PoC Environment - Docker container: olivetin-test - Exposed API on: http://localhost:1337 - Default configuration (no authentication enabled) ## Reproduction Steps Run the following script to send 50 concurrent requests: ```bash for i in $(seq 1 50); do curl -s -X POST http://localhost:1337/api/olivetin.api.v1.OliveTinApiService/PasswordHash \ -H "Content-Type: application/json" \ -d "{\"password\":\"flood-$i\"}" & done docker stats olivetin-test --no-stream wait ``` ```bash ┌──(root㉿kali)-[~/cve/OliveTin] └─# docker stats olivetin-test --no-stream CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS 18509670bf3e olivetin-test 344.63% 6.189GiB / 7.753GiB 79.83% 313kB / 288kB 4.31MB / 106MB 7 ``` `Docker CPU is 344.63%` ### Impact This vulnerability allows unauthenticated remote attackers to: - Exhaust server memory - Crash the service - Cause availability loss - Trigger container termination in orchestrated environments This is a Denial of Service (DoS) vulnerability affecting service availability. Production deployments without reverse proxy rate limiting (e.g., Nginx, Traefik) are especially at risk.
Affected packages (2)
- Go/github.com/OliveTin/OliveTinfrom 0, < 0.0.0-20260227002407-2eb5f0ba79d4
- Go/github.com/OliveTin/OliveTinfrom 0, < 0.0.0-20260227002407-2eb5f0ba79d4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-28342
- PATCHhttps://github.com/OliveTin/OliveTin
- WEBhttps://github.com/OliveTin/OliveTin/commit/2eb5f0ba79d4bbef3c802bf8b4666a7e18dcfd90
- WEBhttps://github.com/OliveTin/OliveTin/releases/tag/3000.10.2
- WEBhttps://github.com/OliveTin/OliveTin/security/advisories/GHSA-pc8g-78pf-4xrp