{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40946", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T20:40:15.519Z", "datePublished": "2026-04-21T21:18:12.103Z", "dateUpdated": "2026-04-21T21:18:12.103Z"}, "containers": {"cna": {"title": "Oxia: OIDC token audience validation bypass via SkipClientIDCheck", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.2, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/oxia-db/oxia/security/advisories/GHSA-fhvp-9hcj-6m33", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/oxia-db/oxia/security/advisories/GHSA-fhvp-9hcj-6m33"}], "affected": [{"vendor": "oxia-db", "product": "oxia", "versions": [{"version": "< 0.16.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T21:18:12.103Z"}, "descriptions": [{"lang": "en", "value": "Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience (aud) claim validation at the library level. This allows tokens issued for unrelated services by the same OIDC issuer to be accepted by Oxia. This vulnerability is fixed in 0.16.2."}], "source": {"advisory": "GHSA-fhvp-9hcj-6m33", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience (aud) claim validation at the library level. This allows tokens issued for unrelated services by the same OIDC issuer to be accepted by Oxia. This vulnerability is fixed in 0.16.2."}], "id": "CVE-2026-40946", "lastModified": "2026-04-21T22:16:20.230", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T22:16:20.230", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/oxia-db/oxia/security/advisories/GHSA-fhvp-9hcj-6m33"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T04:34:14.982813+00:00", "value": {"mitigation_remediation": ["Upgrade Oxia to version 0.16.2 or later, where the SkipClientIDCheck flag is removed and audience claim validation is enforced.", "Ensure that your OIDC provider issues tokens with the correct audience claim that matches Oxia\u2019s client identifier and validate this claim during authentication.", "If custom verifier configuration is used, explicitly disable SkipClientIDCheck or remove any configuration that overrides the default audience validation logic."], "summary": {"action": "Immediate Patch", "impact": "Authorization Bypass via Unvalidated OIDC Audience"}, "threat_synthesis": {"affected_systems": "Oxia installations from versions prior to 0.16.2 are affected. The product is the Oxia metadata store and coordination system provided by oxia-db:oxia. Users running any older minor release that has not incorporated the 0.16.2 update are vulnerable.", "description_and_impact": "The vulnerability in Oxia\u2019s OIDC authentication provider allows the SkipClientIDCheck flag to be set to true, effectively disabling audience claim validation. This means any token issued by the same OIDC issuer for unrelated services can be accepted by Oxia, permitting an attacker to impersonate legitimate users or services and gain unauthorized access. The identified weakness corresponds to CWE\u2011287, which concerns authentication bypass by failing to verify identity information properly.", "risk_and_exploitability": "With a CVSS score of 9.2, this issue is considered of high severity. EPSS data is not available, but the vulnerability is not yet listed in CISA KEV. The likely attack vector is remote, where an adversary obtains or forges an OIDC token from the same issuer and presents it to Oxia. Because the standard audience check is bypassed, such a token would be accepted without further validation, enabling elevation of privilege or unauthorized access to the datastore."}}}}, "created": "2026-04-22T04:45:09.347171+00:00", "updated": "2026-04-22T04:45:09.347190+00:00", "vendors": []}