VDB
CVE-2026-30223
CVE-2026-30223
PUBLISHED
CVSS 8.800000190734863 HIGH
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, when JWT authentication is configured using either "authJwtPubKeyPath" (local RSA public key) or "authJwtHmacSecret" (HMAC secret), the configured audience value (authJwtAud) is not enforced during token parsing. As a result, validly signed JWT tokens with an incorrect aud claim are accepted for authentication. This allows authentication using tokens intended for a different audience/service. This issue has been patched in version 3000.11.1.
EPSS 0.04% · 13.7th percentile
Risk Scores
CVSS v3.1
8.800000190734863
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
0.04%
13.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| olivetin | olivetin | 0, 0 |
| OliveTin | OliveTin | *, * |
| github.com | OliveTin/OliveTin | 0, 0 |
Timeline
- Mar 5, 2026 CVE Published
- Mar 6, 2026 CVE Updated
- Mar 6, 2026 PoC Published
- Mar 7, 2026 EPSS Score
- Mar 7, 2026 PoC Published
- Mar 8, 2026 EPSS Score
- Mar 9, 2026 EPSS Score
- Mar 10, 2026 EPSS Score
- Mar 12, 2026 EPSS Score
- Mar 13, 2026 EPSS Score
- Mar 13, 2026 PoC Published
- Mar 14, 2026 EPSS Score
References
- https://github.com/OliveTin/OliveTin/security/advisories/GHSA-g962-2j28-3cg9 url
- https://github.com/OliveTin/OliveTin/commit/e97d8ecbd8d6ba468c418ca496fcd18f78131233 url
- https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-30223 advisory
- https://github.com/OliveTin/OliveTin package