CVE-2026-30223
HIGHolivetin < 3000.11.1 - Insufficient JWT Audience Verification
Title source: llmDescription
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, when JWT authentication is configured using either "authJwtPubKeyPath" (local RSA public key) or "authJwtHmacSecret" (HMAC secret), the configured audience value (authJwtAud) is not enforced during token parsing. As a result, validly signed JWT tokens with an incorrect aud claim are accepted for authentication. This allows authentication using tokens intended for a different audience/service. This issue has been patched in version 3000.11.1.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/OliveTin/OliveTin/security/advisories/GHSA-g962-2j28-3cg9
Patch x_refsource_misc
https://github.com/OliveTin/OliveTin/commit/e97d8ecbd8d6ba468c418ca496fcd18f78131233
Release Notes x_refsource_misc
https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1
Scores
CVSS v3
8.8
EPSS
0.0030
EPSS Percentile
21.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-345
CWE-287
Status
published
Products (1)
olivetin/olivetin
< 3000.11.1
Published
Mar 06, 2026
Tracked Since
Mar 07, 2026