CVE-2026-28342: OliveTin has Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint
(updated )
The PasswordHash API endpoint allows unauthenticated users to trigger excessive memory allocation by sending concurrent password hashing requests. By issuing multiple parallel requests, an attacker can exhaust available container memory, leading to service degradation or complete denial of service (DoS).
The issue occurs because the endpoint performs computationally and memory-intensive hashing operations without request throttling, authentication requirements, or resource limits.
References
- github.com/OliveTin/OliveTin
- github.com/OliveTin/OliveTin/commit/2eb5f0ba79d4bbef3c802bf8b4666a7e18dcfd90
- github.com/OliveTin/OliveTin/releases/tag/3000.10.2
- github.com/OliveTin/OliveTin/security/advisories/GHSA-pc8g-78pf-4xrp
- github.com/advisories/GHSA-pc8g-78pf-4xrp
- nvd.nist.gov/vuln/detail/CVE-2026-28342
Code Behaviors & Features
Detect and mitigate CVE-2026-28342 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →