CVE-2026-40946 | THREATINT

Description

Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience (aud) claim validation at the library level. This allows tokens issued for unrelated services by the same OIDC issuer to be accepted by Oxia. This vulnerability is fixed in 0.16.2.

PUBLISHED Reserved 2026-04-15 | Published 2026-04-21 | Updated 2026-04-22 | Assigner GitHub_M

CRITICAL: 9.2CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-287: Improper Authentication

Product status

< 0.16.2

affected

References

github.com/...b/oxia/security/advisories/GHSA-fhvp-9hcj-6m33

cve.org (CVE-2026-40946)

nvd.nist.gov (CVE-2026-40946)

Download JSON