Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-30223 is a high-severity vulnerability in OliveTin's authentication system involving JSON Web Token (JWT) audience claim validation bypass. Prior to version 3000.11.1, when JWT authentication was configured using either a local RSA public key or an HMAC secret, the configured audience value was not enforced during token parsing. This meant that validly signed JWT tokens with an incorrect or unintended audience claim could be accepted for authentication."}, {'type': 'paragraph', 'content': 'As a result, an attacker possessing a valid JWT signed by the configured key or secret but intended for a different audience or service could authenticate successfully. This allows cross-service token reuse and trust boundary violations in multi-service environments.'}, {'type': 'paragraph', 'content': 'The vulnerability was patched in OliveTin version 3000.11.1 by enforcing audience validation during JWT parsing in local key and HMAC modes.'}] [2, 3]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can allow unauthorized authentication using JWT tokens that were intended for different audiences or services. An attacker with a valid JWT signed by the configured key or secret can bypass audience restrictions and gain access to OliveTin's system."}, {'type': 'paragraph', 'content': 'The impact includes potential cross-service token reuse, authentication with tokens issued for other systems, and violations of trust boundaries in environments where multiple services share signing keys or rely on audience restrictions for isolation.'}, {'type': 'paragraph', 'content': 'The vulnerability does not bypass access control lists (ACLs) but compromises the authentication validation process, leading to high confidentiality, integrity, and availability impacts.'}] [2]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves acceptance of JWT tokens with incorrect audience claims during authentication in OliveTin versions prior to 3000.11.1. Detection involves verifying whether the OliveTin instance enforces audience validation on JWT tokens.

One approach is to attempt authentication using a validly signed JWT token that contains an incorrect or unexpected audience (aud) claim and observe if authentication succeeds. If it does, the system is vulnerable.

Specific commands or scripts to generate such JWT tokens with incorrect audience claims can be created using JWT libraries (e.g., jwt.io libraries) by signing tokens with the configured key or secret but setting the aud claim to a wrong value.

For example, using a JWT CLI tool or a script, generate a token with the same signing key but with an aud claim different from the expected audience configured in OliveTin, then attempt to authenticate via the OliveTin web interface or API.

If the token is accepted despite the wrong audience, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade OliveTin to version 3000.11.1 or later, where this vulnerability has been patched by enforcing audience validation during JWT token parsing.

If upgrading immediately is not possible, consider temporarily disabling JWT authentication or restricting access to OliveTin to trusted networks or users until the patch can be applied.

Additionally, review your JWT authentication configuration to ensure that audience validation is properly enforced and that signing keys or secrets are not reused across multiple services.

Monitor authentication logs for unusual successful authentications using tokens with unexpected audience claims, which may indicate exploitation attempts.

Useful 0 Not Useful 0