CVE-2026-28790: OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login
(updated )
OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. In the tested release (3000.10.2), guests are correctly blocked from dashboard access, but an still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions.
References
- github.com/OliveTin/OliveTin
- github.com/OliveTin/OliveTin/commit/d9804182eae43cf49f735e6533ddbe1541c2b9a9
- github.com/OliveTin/OliveTin/releases/tag/3000.11.0
- github.com/OliveTin/OliveTin/security/advisories/GHSA-4fqm-6fmh-82mq
- github.com/advisories/GHSA-4fqm-6fmh-82mq
- nvd.nist.gov/vuln/detail/CVE-2026-28790
Code Behaviors & Features
Detect and mitigate CVE-2026-28790 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →