OIDC Authentication Flaw in Oxia Metadata Store and Coordination System
CVE-2026-40946

9.2CRITICAL

Key Information:

Vendor: Oxia-db
Status: Oxia
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-40946?

The Oxia metadata store and coordination system had a significant flaw in its OIDC authentication provider, where the default configuration allowed for disabling the audience (aud) claim validation in the go-oidc verifier. Specifically, prior to version 0.16.2, the configuration would unconditionally set SkipClientIDCheck to true, compromising the integrity of authentication. This misconfiguration could permit tokens intended for unrelated services from the same OIDC issuer to be accepted by Oxia, posing a risk to security by potentially allowing unauthorized access. The issue was rectified in version 0.16.2.

Affected Version(s)

oxia < 0.16.2

References

https://github.com/oxia-db/oxia/security/advisories/GHSA-...

x_refsource_CONFIRM

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40946 Data

JSON

Oxia-db

What is CVE-2026-40946?

Affected Version(s)

References

CVSS V4

Timeline