Plataforma
go
Componente
oxia-db/oxia
Corregido en
0.16.3
0.16.2
CVE-2026-40946 affects Oxia versions 0.0.0 through 0.16.1. This vulnerability allows attackers to bypass audience validation in the OIDC authentication process, enabling unauthorized access. The root cause is the unconditional setting of SkipClientIDCheck: true in the go-oidc verifier configuration, disabling standard audience claim validation. A fix is available in version 0.16.2.
This vulnerability poses a significant risk to deployments utilizing OIDC authentication. An attacker possessing a valid JWT token issued by the same identity provider but intended for a different service (a different client_id/aud) can successfully authenticate to Oxia. This effectively bypasses the intended audience isolation mechanisms of OAuth2/OIDC, allowing an attacker to impersonate legitimate users or gain administrative access depending on the user's privileges within Oxia. The potential impact includes data breaches, unauthorized modifications to system configurations, and complete compromise of the Oxia instance.
This vulnerability was publicly disclosed on 2026-04-21. Currently, there are no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The ease of exploitation is relatively high due to the straightforward nature of token manipulation, making it a potential target for opportunistic attackers.
Organizations heavily reliant on OIDC for authentication, particularly those with multiple services sharing the same identity provider, are at heightened risk. Environments with legacy configurations or those lacking robust OIDC monitoring practices are also more vulnerable.
• linux / server:
journalctl -u oxia | grep "SkipClientIDCheck: true"• generic web:
curl -I <oxia_endpoint> | grep -i "Authorization: Bearer"disclosure
Estado del Exploit
EPSS
0.06% (18% percentil)
CISA SSVC
The primary mitigation is to upgrade to Oxia version 0.16.2 or later, which addresses the vulnerability by properly validating the audience claim. If upgrading immediately is not feasible, consider implementing temporary workarounds such as restricting access to Oxia based on known trusted client IDs or implementing stricter validation rules at the application level. Monitor OIDC authentication logs for suspicious activity, particularly tokens with unexpected audience claims. Review and audit OIDC configuration to ensure proper audience restriction is enforced.
Actualice Oxia a la versión 0.16.2 o superior para corregir esta vulnerabilidad. La versión corregida deshabilita la configuración predeterminada de 'SkipClientIDCheck: true' en el verificador de go-oidc, lo que garantiza que se realice la validación estándar de la reclamación de audiencia (aud).
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-40946 is a vulnerability in Oxia allowing attackers to bypass audience validation in OIDC authentication, potentially gaining unauthorized access.
You are affected if you are using Oxia versions 0.0.0 through 0.16.1 and utilize OIDC authentication.
Upgrade to Oxia version 0.16.2 or later to resolve the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
As of the current disclosure date, there are no known active exploits or campaigns targeting this vulnerability.
Refer to the official Oxia project documentation and release notes for the advisory related to CVE-2026-40946.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo go.mod y te decimos al instante si estás afectado.