प्लेटफ़ॉर्म
go
घटक
oxia-db/oxia
में ठीक किया गया
0.16.3
0.16.2
CVE-2026-40946 affects Oxia versions 0.0.0 through 0.16.1. This vulnerability allows attackers to bypass audience validation in the OIDC authentication process, enabling unauthorized access. The root cause is the unconditional setting of SkipClientIDCheck: true in the go-oidc verifier configuration, disabling standard audience claim validation. A fix is available in version 0.16.2.
This vulnerability poses a significant risk to deployments utilizing OIDC authentication. An attacker possessing a valid JWT token issued by the same identity provider but intended for a different service (a different client_id/aud) can successfully authenticate to Oxia. This effectively bypasses the intended audience isolation mechanisms of OAuth2/OIDC, allowing an attacker to impersonate legitimate users or gain administrative access depending on the user's privileges within Oxia. The potential impact includes data breaches, unauthorized modifications to system configurations, and complete compromise of the Oxia instance.
This vulnerability was publicly disclosed on 2026-04-21. Currently, there are no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The ease of exploitation is relatively high due to the straightforward nature of token manipulation, making it a potential target for opportunistic attackers.
Organizations heavily reliant on OIDC for authentication, particularly those with multiple services sharing the same identity provider, are at heightened risk. Environments with legacy configurations or those lacking robust OIDC monitoring practices are also more vulnerable.
• linux / server:
journalctl -u oxia | grep "SkipClientIDCheck: true"• generic web:
curl -I <oxia_endpoint> | grep -i "Authorization: Bearer"disclosure
एक्सप्लॉइट स्थिति
EPSS
0.06% (18% शतमक)
CISA SSVC
The primary mitigation is to upgrade to Oxia version 0.16.2 or later, which addresses the vulnerability by properly validating the audience claim. If upgrading immediately is not feasible, consider implementing temporary workarounds such as restricting access to Oxia based on known trusted client IDs or implementing stricter validation rules at the application level. Monitor OIDC authentication logs for suspicious activity, particularly tokens with unexpected audience claims. Review and audit OIDC configuration to ensure proper audience restriction is enforced.
इस भेद्यता को ठीक करने के लिए Oxia को संस्करण 0.16.2 या उच्चतर में अपडेट करें। सुधारे गए संस्करण में 'SkipClientIDCheck: true' की डिफ़ॉल्ट कॉन्फ़िगरेशन को अक्षम कर दिया गया है, जो यह सुनिश्चित करता है कि ऑडियंस (aud) दावा का मानक सत्यापन किया जाए।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-40946 is a vulnerability in Oxia allowing attackers to bypass audience validation in OIDC authentication, potentially gaining unauthorized access.
You are affected if you are using Oxia versions 0.0.0 through 0.16.1 and utilize OIDC authentication.
Upgrade to Oxia version 0.16.2 or later to resolve the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
As of the current disclosure date, there are no known active exploits or campaigns targeting this vulnerability.
Refer to the official Oxia project documentation and release notes for the advisory related to CVE-2026-40946.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी go.mod फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।