Nixpkgs security tracker

Untriaged

Permalink CVE-2026-30223

8.8 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 1 month, 2 weeks ago Activity log

Created suggestion 1 month, 2 weeks ago

OliveTin: JWT Audience Validation Bypass in Local Key and HMAC Modes

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, when JWT authentication is configured using either "authJwtPubKeyPath" (local RSA public key) or "authJwtHmacSecret" (HMAC secret), the configured audience value (authJwtAud) is not enforced during token parsing. As a result, validly signed JWT tokens with an incorrect aud claim are accepted for authentication. This allows authentication using tokens intended for a different audience/service. This issue has been patched in version 3000.11.1.

References

https://github.com/OliveTin/OliveTin/security/advisories/GHSA-g962-2j28-3cg9 x_refsource_CONFIRM
https://github.com/OliveTin/OliveTin/commit/e97d8ecbd8d6ba468c418ca496fcd18f78131233 x_refsource_MISC
https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1 x_refsource_MISC

Affected products

OliveTin

==< 3000.11.1

Matching in nixpkgs

pkgs.olivetin

Gives safe and simple access to predefined shell commands from a web interface

nixos-unstable 2025.11.25
- nixpkgs-unstable 2025.11.25
- nixos-unstable-small 2025.11.25
nixos-25.11 2025.11.25
- nixos-25.11-small 2025.11.25
- nixpkgs-25.11-darwin 2025.11.25

Package maintainers

@Defelo Defelo

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.olivetin

Package maintainers