Olivetin
CVE-2026-30223
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, when JWT authentication is configured using either "authJwtPubKeyPath" (local RSA public key) or "authJwtHmacSecret" (HMAC secret), the configured audience value (authJwtAud) is not enforced during token parsing. As a result, validly signed JWT tokens with an incorrect aud claim are accepted for authentication. This allows authentication using tokens intended for a different audience/service. This issue has been patched in version 3000.11.1.
AnalysisAI
OliveTin gives access to predefined shell commands from a web interface. [CVSS 8.8 HIGH]
Technical ContextAI
Classified as CWE-287 (Improper Authentication). Affects Olivetin. OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, when JWT authentication is configured using either "authJwtPubKeyPath" (local RSA public key) or "authJwtHmacSecret" (HMAC secret), the configured audience value (authJwtAud) is not enforced during token parsing. As a result, validly signed JWT tokens with an incorrect aud claim are accepted for authentication. This allows authentication using tokens intended for a different audience/service. Thi
RemediationAI
A vendor patch is available — apply it immediately. Fixed in version 3000.11.1.. Restrict network access to the affected service where possible.
OS command injection in OliveTin web shell interface through version 3000.10.0. OliveTin provides web-based access to pr
Arbitrary file write in OliveTin prior to 3000.11.2 allows authenticated attackers to write files to arbitrary filesyste
OliveTin versions prior to 3000.10.2 are vulnerable to unauthenticated denial of service through the PasswordHash API en
OliveTin versions prior to 3000.10.3 are vulnerable to unauthenticated denial-of-service attacks when OAuth2 authenticat
OliveTin versions prior to 3000.11.0 suffer from broken access control allowing unauthenticated users to invoke the Kill
OS Command Injection in Olivetin 2025.4.22 Custom Themes via the ParseRequestURI function in service/internal/executor/a
OliveTin prior to version 3000.11.1 fails to enforce view permission checks on dashboard and API endpoints, allowing aut
OliveTin prior to version 3000.11.1 fails to invalidate server-side sessions upon user logout, allowing attackers with a
OliveTin versions prior to 3000.11.1 contain an authentication bypass in RestartAction that allows authenticated users t
Concurrent action execution in OliveTin versions 3000.0.0 and prior triggers a race condition in a shared text/template.
### Summary OliveTin’s live EventStream broadcasts execution events and action output to authenticated dashboard subs
OliveTin's ValidateArgumentType RPC endpoint exposes action binding IDs and argument configurations to unauthenticated n
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
GHSA-g962-2j28-3cg9