6 matches found
CVE-2026-40946
Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience aud claim validation at the library level. This allows tokens issued for unrelate...
EUVD-2026-24511
Oxia is a metadata store and coordination system. Prior to 0.16.2, when OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system. This...
CVE-2026-40944 Oxia: TLS CA certificate chain validation fails with multi-certificate PEM bundles
Oxia is a metadata store and coordination system. Prior to 0.16.2, the trustedCertPool function in the TLS configuration only parses the first PEM block from CA certificate files. When a CA bundle contains multiple certificates e.g., intermediate + root CA, only the first certificate is loaded...
CVE-2026-40943
Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat method uses a blocking channel send while holding a mutex, and under specific timin...
PT-2026-34190
Name of the Vulnerable Software and Affected Versions Oxia versions prior to 0.16.2 Description The OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration. This disables the standard audience aud claim validation at the library level,...
PT-2026-34189
Name of the Vulnerable Software and Affected Versions Oxia versions prior to 0.16.2 Description When OIDC OpenID Connect, an identity layer on top of the OAuth 2.0 protocol authentication fails, the full bearer token is logged in plaintext at the DEBUG level. If debug logging is enabled in...