OliveTin’s authentication mechanism allows predefined shell commands to be executed from a web interface. When JWT authentication is configured with a local RSA public key or an HMAC secret, the audience claim (authJwtAud) is not enforced during token parsing. As a result, a token that is correctly signed but contains an incorrect audience value is still accepted as valid. This flaw requires a valid signature but permits the use of tokens intended for a different audience or service, effectively bypassing authentication checks. The vulnerability is classified as an authentication bypass (CWE‑287) and an incorrect audience validation (CWE‑345).

The flaw affects OliveTin OliveTin, versions prior to 3000.11.1. The patch was released in the 3000.11.1 release. No other vendor or product versions are affected. If you are running any version older than 3000.11.1, the vulnerability is present.

Based on the description, OliveTin provides a web interface for predefined shell commands and uses JWT for authentication. The flaw occurs when a validly signed JWT contains an incorrect audience claim; the audience is not checked. Consequently, if an attacker has a JWT that is correctly signed for OliveTin but carries a different audience, that token will still be accepted, allowing the attacker to authenticate as an arbitrary user. The attack is therefore a remote network attack where the adversary supplies forged JWTs. It requires that the attacker already obtains a JWT with a valid signature for OliveTin; once that is achieved, the audience claim is ignored, and the attacker gains the ability to execute any command the application permits. The flaw is rated high severity with a CVSS score of 8.8, but the EPSS indicates a very low exploitation probability. The vulnerability is not included in the CISA KEV catalog. The risk remains significant because gaining authenticated access exposes execution privileges for arbitrary shell commands.