NIXPKGS-2026-0557

GitHub issue published on 7 Mar 2026

Permalink CVE-2026-28342

updated 17 hours ago by @mweinelt Activity log

Created automatic suggestion 2 days, 7 hours ago
@mweinelt accepted 17 hours ago
@mweinelt published on GitHub 17 hours ago

OliveTin: Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.2, the PasswordHash API endpoint allows unauthenticated users to trigger excessive memory allocation by sending concurrent password hashing requests. By issuing multiple parallel requests, an attacker can exhaust available container memory, leading to service degradation or complete denial of service (DoS). The issue occurs because the endpoint performs computationally and memory-intensive hashing operations without request throttling, authentication requirements, or resource limits. This issue has been patched in version 3000.10.2.

References

https://github.com/OliveTin/OliveTin/security/advisories/GHSA-pc8g-78pf-4xrp x_refsource_CONFIRM
https://github.com/OliveTin/OliveTin/commit/2eb5f0ba79d4bbef3c802bf8b4666a7e18dcfd90 x_refsource_MISC
https://github.com/OliveTin/OliveTin/releases/tag/3000.10.2 x_refsource_MISC

Affected products

OliveTin

==< 3000.10.2

Matching in nixpkgs

pkgs.olivetin

Gives safe and simple access to predefined shell commands from a web interface

nixos-unstable 2025.11.25
- nixpkgs-unstable 2025.11.25
- nixos-unstable-small 2025.11.25
nixos-25.11 2025.11.25
- nixos-25.11-small 2025.11.25
- nixpkgs-25.11-darwin 2025.11.25

Package maintainers

@Defelo Defelo

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0557

References

Affected products

Matching in nixpkgs

pkgs.olivetin

Package maintainers