HIGH🇵🇱 Wersja polska

CVE-2026-30223

CVSS 8.8v3.1pub. 2026-03-06upd. 2026-03-12

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, when JWT authentication is configured using either "authJwtPubKeyPath" (local RSA public key) or "authJwtHmacSecret" (HMAC secret), the configured audience value (authJwtAud) is not enforced during token parsing. As a result, validly signed JWT tokens with an incorrect aud claim are accepted for authentication. This allows authentication using tokens intended for a different audience/service. This issue has been patched in version 3000.11.1.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Olivetin

    APP
    Olivetin
    < 3000.11.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2026-27626CRITICAL9.9PL ✓ten sam produkt

OliveTin — command injection umożliwiający nieuwierzytelniony RCE

CVE-2026-32102HIGH7.1ten sam produkt

OliveTin gives access to predefined shell commands from a web interface. In 3000.10.2 and earlier, OliveTin’s ...

CVE-2026-31817HIGH8.5ten sam produkt

OliveTin gives access to predefined shell commands from a web interface. Prior to 3000.11.2, when the saveLogs...

CVE-2026-28342HIGH7.5ten sam produkt

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.2, the Passw...

CVE-2026-28789HIGH7.5ten sam produkt

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauth...