CVE-2026-40944 | THREATINT

Description

Oxia is a metadata store and coordination system. Prior to 0.16.2, the trustedCertPool() function in the TLS configuration only parses the first PEM block from CA certificate files. When a CA bundle contains multiple certificates (e.g., intermediate + root CA), only the first certificate is loaded. This silently breaks certificate chain validation for mTLS. This vulnerability is fixed in 0.16.2.

PUBLISHED Reserved 2026-04-15 | Published 2026-04-21 | Updated 2026-04-22 | Assigner GitHub_M

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-295: Improper Certificate Validation

Product status

< 0.16.2

affected

References

github.com/...b/oxia/security/advisories/GHSA-7jrq-q4pq-rhm6

cve.org (CVE-2026-40944)

nvd.nist.gov (CVE-2026-40944)

Download JSON