CVE-2026-30223HIGH 8.8EPSS p21.6%

CVE-2026-30223CVE-2026-30223

Description

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, when JWT authentication is configured using either "authJwtPubKeyPath" (local RSA public key) or "authJwtHmacSecret" (HMAC secret), the configured audience value (authJwtAud) is not enforced during token parsing. As a result, validly signed JWT tokens with an incorrect aud claim are accepted for authentication. This allows authentication using tokens intended for a different audience/service. This issue has been patched in version 3000.11.1.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.30% probability of exploitation · percentile 21.6% · 2026-06-19T12:03:05Z
Published2026-03-06
Last modified2026-03-12

Underlying weaknesses· 2

CWE-287CWE-345

References

  1. https://github.com/OliveTin/OliveTin/commit/e97d8ecbd8d6ba468c418ca496fcd18f78131233
  2. https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1
  3. https://github.com/OliveTin/OliveTin/security/advisories/GHSA-g962-2j28-3cg9

2

TypeTargetConfidenceTier
WeaknessImproper Authenticationcwe-2870%live
WeaknessInsufficient Verification of Data Authenticitycwe-3450%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-27626
CVE
CVE-2026-31817
CVE
CVE-2026-31946
CVE
CVE-2025-41702
CVE
CVE-2025-41672
CVE
CVE-2026-43585
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.