CRITICALCVE-2026-40946Published 2026-04-21Modified 2026-04-22CNA GitHub_M

CVE-2026-40946: Oxia: OIDC token audience validation bypass via SkipClientIDCheck

Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience (aud) claim validation at the library level. This allows tokens issued for unrelated services by the same OIDC issuer to be accepted by Oxia. This vulnerability is fixed in 0.16.2.

CVSS v4.0: 9.2
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

oxia-db / oxia
< 0.16.2

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

https://github.com/oxia-db/oxia/security/advisories/GHSA-fhvp-9hcj-6m33

Metrics