CVE-2026-40945
HIGHOxia: Bearer token exposed in debug log messages on authentication failure
Title source: cnaDescription
Oxia is a metadata store and coordination system. Prior to 0.16.2, when OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system. This vulnerability is fixed in 0.16.2.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/oxia-db/oxia/security/advisories/GHSA-pm7q-rjjx-979p
Scores
CVSS v4
8.7
EPSS
0.0031
EPSS Percentile
22.2%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-532
Status
published
Products (2)
oxia-db/oxia
0 - 0.16.2Go
oxia-db/oxia
< 0.16.2
Published
Apr 21, 2026
Tracked Since
Apr 22, 2026