CVE-2026-28789

Summary

An unauthenticated denial-of-service vulnerability exists in OliveTin’s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal

  error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled.

​

Details

The OAuth2 handler stores per-login state in a shared map without synchronization:

• service/internal/auth/otoauth2/restapiauthoauth2.go:24

    registeredStates map[string]*oauth2State

• Unlocked write in login handler: .../restapiauthoauth2.go:141
• Unlocked read in callback check: .../restapiauthoauth2.go:174
• Unlocked writes in callback flow: .../restapiauthoauth2.go:284-285
• Unlocked read in auth chain check: .../restapiauthoauth2.go:376

  These paths are network reachable via publicly registered routes:

  - service/internal/httpservers/frontend.go:71 → /oauth/login
  - service/internal/httpservers/frontend.go:72 → /oauth/callback

  Because Go HTTP handlers run concurrently, high parallel traffic to /oauth/login causes concurrent map access and runtime panic.

  Tested on:

• Container image: ghcr.io/olivetin/olivetin:3000.10.0
• Source also contains same pattern at commit/tag eb42029b5d0c0633551621288180dd4566b913f7 (3000.10.1)

​

PoC

1. Start OliveTin with OAuth2 provider configured (example github), exposing port 1337.
2. Confirm baseline:

  curl -i http://127.0.0.1:1337/readyz
  curl -i "http://127.0.0.1:1337/oauth/login?provider=github"

  Expected: 200 for /readyz, 302 for /oauth/login.

1. Run concurrency PoC:

  python3 /OliveTin/tools/poc_oauth2_state_map_race_dos.py \
    --base-url http://127.0.0.1:1337 \
    --provider github \
    --workers 80 \
    --requests 120000 \
    --health-failures 3

1. Verify crash:

  docker inspect olivetin-dos --format 'status={{.State.Status}} exit={{.State.ExitCode}}'

  docker logs olivetin-dos 2>&1 | grep -E "fatal error: concurrent map|concurrent map writes|restapiauthoauth2.go"

  Observed result:

• Process exited with code 2
• Logs include:
  • fatal error: concurrent map writes
  • .../internal/auth/otoauth2/restapiauthoauth2.go:141 in HandleOAuthLogin

​

Impact

• Vulnerability type: Race condition (CWE-362) leading to DoS.
• Attacker requirements: network access only; no authentication required for exploit path.
• Impacted deployments: OliveTin instances with OAuth2 enabled and reachable over network.
• Security impact: remote unauthenticated attacker can repeatedly crash OliveTin, causing availability loss until restart/recovery.

pocoauth2statemaprace_dos.py