GHSA-g962-2j28-3cg9: OliveTin has JWT Audience Validation Bypass in Local Key and HMAC Modes

March 5, 2026

When JWT authentication is configured using either:

authJwtPubKeyPath (local RSA public key), or
authJwtHmacSecret (HMAC secret),

the configured audience value (authJwtAud) is not enforced during token parsing. As a result, validly signed JWT tokens with an incorrect aud claim are accepted for authentication. This allows authentication using tokens intended for a different audience/service.

References

github.com/OliveTin/OliveTin
github.com/OliveTin/OliveTin/commit/e97d8ecbd8d6ba468c418ca496fcd18f78131233
github.com/OliveTin/OliveTin/releases/tag/3000.11.1
github.com/OliveTin/OliveTin/security/advisories/GHSA-g962-2j28-3cg9
github.com/advisories/GHSA-g962-2j28-3cg9

Code Behaviors & Features

Detect and mitigate GHSA-g962-2j28-3cg9 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →