HIGHCVE-2026-40945Published 2026-04-21Modified 2026-04-22CNA GitHub_M

CVE-2026-40945: Oxia: Bearer token exposed in debug log messages on authentication failure

Oxia is a metadata store and coordination system. Prior to 0.16.2, when OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system. This vulnerability is fixed in 0.16.2.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

oxia-db / oxia
< 0.16.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

https://github.com/oxia-db/oxia/security/advisories/GHSA-pm7q-rjjx-979p

Metrics