CVE 6.9 MEDIUM

Oxia: TLS CA certificate chain validation fails with multi-certificate PEM bundles_CVE-2026-40944

April 21, 2026 invoker category_cve
6.9 / 10
MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Description

Oxia is a metadata store and coordination system. Prior to 0.16.2, the trustedCertPool() function in the TLS configuration only parses the first PEM block from CA certificate files. When a CA bundle contains multiple certificates (e.g., intermediate + root CA), only the first certificate is loaded. This silently breaks certificate chain validation for mTLS. This vulnerability is fixed in 0.16.2.

Basic Information

ID CVE-2026-40944
Source GitHub_M
Published Apr 21, 2026 at 21:14

Affected Product

Vendor oxia-db
Product oxia
Version < 0.16.2
Affected Versions oxia-db oxia < 0.16.2

CWE Classification

CWE-295

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.