CVE-2026-40946
Vulnerability Description
Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience (aud) claim validation at the library level. This allows tokens issued for unrelated services by the same OIDC issuer to be accepted by Oxia. This vulnerability is fixed in 0.16.2.
Vulnerability Details
Published Date
Last Modified
CWE ID
CWE-287
Source
NVD
Vendor
oxia-db
Product
oxia
Discussion (0)
Add Comment
No comments yet. Be the first!