CVE-2026-30223: OliveTin has JWT Audience Validation Bypass in Local Key and HMAC Modes

March 5, 2026 (updated March 6, 2026)

When JWT authentication is configured using either:

authJwtPubKeyPath (local RSA public key), or
authJwtHmacSecret (HMAC secret),

the configured audience value (authJwtAud) is not enforced during token parsing. As a result, validly signed JWT tokens with an incorrect aud claim are accepted for authentication. This allows authentication using tokens intended for a different audience/service.

References

github.com/OliveTin/OliveTin
github.com/OliveTin/OliveTin/commit/e97d8ecbd8d6ba468c418ca496fcd18f78131233
github.com/OliveTin/OliveTin/releases/tag/3000.11.1
github.com/OliveTin/OliveTin/security/advisories/GHSA-g962-2j28-3cg9
github.com/advisories/GHSA-g962-2j28-3cg9
nvd.nist.gov/vuln/detail/CVE-2026-30223

Code Behaviors & Features

Detect and mitigate CVE-2026-30223 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →