CVE-2026-40946
CRITICALOxia: OIDC token audience validation bypass via SkipClientIDCheck
Title source: cnaDescription
Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience (aud) claim validation at the library level. This allows tokens issued for unrelated services by the same OIDC issuer to be accepted by Oxia. This vulnerability is fixed in 0.16.2.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/oxia-db/oxia/security/advisories/GHSA-fhvp-9hcj-6m33
Scores
CVSS v4
9.2
EPSS
0.0026
EPSS Percentile
16.6%
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-287
Status
published
Products (2)
oxia-db/oxia
0 - 0.16.2Go
oxia-db/oxia
< 0.16.2
Published
Apr 21, 2026
Tracked Since
Apr 22, 2026