Oxia には SkipClientIDCheck を介した OIDC トークン Audience 検証のバイパスの脆弱性があります
プラットフォーム
go
コンポーネント
oxia-db/oxia
修正版
0.16.3
0.16.2
CVE-2026-40946 affects Oxia versions 0.0.0 through 0.16.1. This vulnerability allows attackers to bypass audience validation in the OIDC authentication process, enabling unauthorized access. The root cause is the unconditional setting of SkipClientIDCheck: true in the go-oidc verifier configuration, disabling standard audience claim validation. A fix is available in version 0.16.2.
このCVEがあなたのプロジェクトに影響するか確認
go.mod ファイルをアップロードすると、影響の有無を即座にお知らせします。
影響と攻撃シナリオ翻訳中…
This vulnerability poses a significant risk to deployments utilizing OIDC authentication. An attacker possessing a valid JWT token issued by the same identity provider but intended for a different service (a different client_id/aud) can successfully authenticate to Oxia. This effectively bypasses the intended audience isolation mechanisms of OAuth2/OIDC, allowing an attacker to impersonate legitimate users or gain administrative access depending on the user's privileges within Oxia. The potential impact includes data breaches, unauthorized modifications to system configurations, and complete compromise of the Oxia instance.
悪用の状況翻訳中…
This vulnerability was publicly disclosed on 2026-04-21. Currently, there are no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The ease of exploitation is relatively high due to the straightforward nature of token manipulation, making it a potential target for opportunistic attackers.
リスク対象者翻訳中…
Organizations heavily reliant on OIDC for authentication, particularly those with multiple services sharing the same identity provider, are at heightened risk. Environments with legacy configurations or those lacking robust OIDC monitoring practices are also more vulnerable.
検出手順翻訳中…
• linux / server:
journalctl -u oxia | grep "SkipClientIDCheck: true"• generic web:
curl -I <oxia_endpoint> | grep -i "Authorization: Bearer"攻撃タイムライン
- Disclosure
disclosure
脅威インテリジェンス
エクスプロイト状況
EPSS
0.06% (18% パーセンタイル)
CISA SSVC
影響を受けるソフトウェア
弱点分類 (CWE)
タイムライン
- 予約済み
- 公開日
- 更新日
- EPSS 更新日
緩和策と回避策翻訳中…
The primary mitigation is to upgrade to Oxia version 0.16.2 or later, which addresses the vulnerability by properly validating the audience claim. If upgrading immediately is not feasible, consider implementing temporary workarounds such as restricting access to Oxia based on known trusted client IDs or implementing stricter validation rules at the application level. Monitor OIDC authentication logs for suspicious activity, particularly tokens with unexpected audience claims. Review and audit OIDC configuration to ensure proper audience restriction is enforced.
修正方法
この脆弱性を修正するために、Oxia をバージョン 0.16.2 以降にアップデートしてください。修正されたバージョンでは、go-oidc 検証器のデフォルト設定 'SkipClientIDCheck: true' が無効になり、標準の Audience (aud) クレーム検証が実行されるようになります。
CVEセキュリティニュースレター
脆弱性分析と重要アラートをメールでお届けします。
よくある質問翻訳中…
What is CVE-2026-40946 — OIDC Auth Bypass in Oxia?
CVE-2026-40946 is a vulnerability in Oxia allowing attackers to bypass audience validation in OIDC authentication, potentially gaining unauthorized access.
Am I affected by CVE-2026-40946 in Oxia?
You are affected if you are using Oxia versions 0.0.0 through 0.16.1 and utilize OIDC authentication.
How do I fix CVE-2026-40946 in Oxia?
Upgrade to Oxia version 0.16.2 or later to resolve the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
Is CVE-2026-40946 being actively exploited?
As of the current disclosure date, there are no known active exploits or campaigns targeting this vulnerability.
Where can I find the official Oxia advisory for CVE-2026-40946?
Refer to the official Oxia project documentation and release notes for the advisory related to CVE-2026-40946.