GO-2026-4587 OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login in github.com/OliveTin/OliveTin

OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login in github.com/OliveTin/OliveTin...

CVE-2026-28790 OliveTin: Unauthenticated Action Termination via KillAction When Guests Must Login

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. Guests are correctly blocked from dashboard access, bu...

CVE-2026-28790

mode C: Affected software / component : OliveTin (example version tested: 3000.10.2) with authRequireGuestsToLogin: true. The vulnerability concerns the KillAction RPC, which terminates running actions regardless of unauthenticated guest status. Root cause (as described) : KillAction applies only...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the KillAction function. An attacker can terminate active jobs initiated by legitimate users by directly invoking the KillAction endpoint without authentication, even when guest login is required. This can...

GHSA-4FQM-6FMH-82MQ OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login

Summary OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. In the tested release 3000.10.2, guests are correctly blocked from dashboard access, but an still call the KillAction RPC directly and successfully...

PT-2026-22999

Name of the Vulnerable Software and Affected Versions OliveTin versions prior to 3000.11.0 Description OliveTin allows an unauthenticated guest to terminate running actions through the KillAction Remote Procedure Call RPC even when authRequireGuestsToLogin: true is enabled. Guests are blocked fro...