CVE-2026-40945

HIGH

Oxia: Bearer token exposed in debug log messages on authentication failure

Title source: cna

Description

Oxia is a metadata store and coordination system. Prior to 0.16.2, when OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system. This vulnerability is fixed in 0.16.2.

References (1)

[X_Refsource_Confirm] https://github.com/oxia-db/oxia/security/advisories/GHSA-pm7q-rjjx-979p

Scores

CVSS v4 8.7

EPSS 0.0006

EPSS Percentile 18.3%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-532

Status published

Products (1)

oxia-db/oxia < 0.16.2

Published Apr 21, 2026

Tracked Since Apr 22, 2026