CVE-2026-30223

EUVD-2026-10072

06.03.2026, 21:16

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, when JWT authentication is configured using either "authJwtPubKeyPath" (local RSA public key) or "authJwtHmacSecret" (HMAC secret), the configured audience value (authJwtAud) is not enforced during token parsing. As a result, validly signed JWT tokens with an incorrect aud claim are accepted for authentication. This allows authentication using tokens intended for a different audience/service. This issue has been patched in version 3000.11.1.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
olivetin	olivetin	𝑥 < 3000.11.1

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/OliveTin/OliveTin/security/advisories/GHSA-g962-2j28-3cg9

Common Weakness Enumeration

References

https://github.com/OliveTin/OliveTin/commit/e97d8ecbd8d6ba468c418ca496fcd18f78131233

https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1

https://github.com/OliveTin/OliveTin/security/advisories/GHSA-g962-2j28-3cg9