CVE-2026-30223

Name of the Vulnerable Software and Affected Versions OliveTin versions prior to 3000.11.1

Description OliveTin allows access to predefined shell commands from a web interface. When JWT authentication is configured using a local RSA public key (authJwtPubKeyPath) or an HMAC secret (authJwtHmacSecret), the configured audience value (authJwtAud) is not enforced during token parsing. This allows authentication using JWT tokens intended for a different audience or service. The issue resides in the jwt.go file, specifically lines 51–59, 144–157, and 161–168. In Local Public Key Mode and HMAC Mode, the jwt.WithAudience() option is not provided, leading to the bypass of audience validation. An attacker possessing a valid JWT signed with the configured key, but intended for a different audience, can authenticate successfully. This enables cross-service token reuse, authentication using tokens issued for other systems, and trust boundary violation in multi-service environments. The API endpoint ''/api/WhoAmI'' is affected, and the Authorization header is used to pass the JWT token. The vulnerable parameters include the aud claim within the JWT token. This is strictly an authentication validation flaw and does not bypass ACL authorization.

Recommendations Update OliveTin to version 3000.11.1 or later.