Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
8.8

OliveTin: Accepts Wrong Authentication Tokens from Other Services

CVE-2026-30223 GHSA-g962-2j28-3cg9 GHSA-g962-2j28-3cg9
Summary

Prior to version 3000.11.1, OliveTin was not properly checking authentication tokens. This allowed access to the web interface even with tokens meant for other services. Update to version 3000.11.1 or later to fix this issue.

What to do
  • Update github.com olivetin to version 0.0.0-20260304231339-e97d8ecbd8d6.
  • Update olivetin github.com/olivetin/olivetin to version 0.0.0-20260304231339-e97d8ecbd8d6.
Affected software
VendorProductAffected versionsFix available
github.com olivetin <= 0.0.0-20260304231339-e97d8ecbd8d6 0.0.0-20260304231339-e97d8ecbd8d6
olivetin github.com/olivetin/olivetin <= 0.0.0-20260304231339-e97d8ecbd8d6 0.0.0-20260304231339-e97d8ecbd8d6
olivetin olivetin <= 3000.11.1 –
Original title
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, when JWT authentication is configured using either "authJwtPubKeyPath" (local RSA public key) or...
Original description
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, when JWT authentication is configured using either "authJwtPubKeyPath" (local RSA public key) or "authJwtHmacSecret" (HMAC secret), the configured audience value (authJwtAud) is not enforced during token parsing. As a result, validly signed JWT tokens with an incorrect aud claim are accepted for authentication. This allows authentication using tokens intended for a different audience/service. This issue has been patched in version 3000.11.1.
nvd CVSS3.1 8.8
Vulnerability type
CWE-287 Improper Authentication
CWE-345
Published: 6 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026