CVE-2026-30223 in OliveTin
Summary
by MITRE • 03/06/2026
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, when JWT authentication is configured using either "authJwtPubKeyPath" (local RSA public key) or "authJwtHmacSecret" (HMAC secret), the configured audience value (authJwtAud) is not enforced during token parsing. As a result, validly signed JWT tokens with an incorrect aud claim are accepted for authentication. This allows authentication using tokens intended for a different audience/service. This issue has been patched in version 3000.11.1.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/12/2026
The vulnerability identified as CVE-2026-30223 affects OliveTin, a web-based interface that provides access to predefined shell commands through a graphical user interface. This application implements JWT-based authentication mechanisms to secure access to its command execution features, making it a critical component for system administrators who rely on secure remote command execution capabilities. The flaw exists in the token validation process where the application fails to properly enforce the audience claim specified in the JWT specification, creating a potential security escalation vector that could allow unauthorized access to system commands.
The technical implementation of this vulnerability stems from improper JWT validation logic within OliveTin's authentication module. When JWT tokens are configured using either public key cryptography through authJwtPubKeyPath or symmetric key cryptography via authJwtHmacSecret, the application correctly validates the token signature but neglects to verify that the audience claim matches the expected value configured in authJwtAud. This oversight allows an attacker to obtain a validly signed JWT token from another service or application that shares the same signing key, then use that token to authenticate against OliveTin even though the token was never intended for that specific service. The vulnerability directly relates to CWE-290 authentication bypass through reliance on untrusted inputs and represents a failure to properly validate JWT claims as specified in the JWT standard.
The operational impact of this vulnerability extends beyond simple unauthorized access to command execution capabilities. An attacker who can obtain a valid JWT token from a legitimate service within the same organization could potentially execute arbitrary shell commands on systems running vulnerable versions of OliveTin. This creates a significant risk for organizations that rely on JWT-based authentication for multiple services, as a compromise of one service's authentication system could potentially provide access to other systems that share the same signing keys. The vulnerability particularly affects environments where OliveTin is deployed in enterprise settings where multiple services share common authentication infrastructure, potentially allowing lateral movement or privilege escalation attacks.
Organizations should immediately update to OliveTin version 3000.11.1 or later to address this vulnerability, as the patch implements proper audience claim validation during JWT token parsing. System administrators should also review their JWT configuration settings to ensure that the authJwtAud parameter is properly set and that all services sharing authentication keys maintain consistent audience values. Security monitoring should be enhanced to detect unusual authentication patterns or attempts to use tokens from unexpected sources, particularly in environments where JWT tokens are shared across multiple services. This vulnerability demonstrates the critical importance of proper JWT implementation and validation, aligning with ATT&CK technique T1566.002 for credential access through valid accounts and T1566.001 for credential access through phishing attacks, as the flaw could potentially be exploited through token theft or replay attacks.