CVE 8.7 HIGH

Oxia: Bearer token exposed in debug log messages on authentication failure_CVE-2026-40945

April 21, 2026 invoker category_cve

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Oxia is a metadata store and coordination system. Prior to 0.16.2, when OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system. This vulnerability is fixed in 0.16.2.

AI Analysis

Bearer token exposed in debug log messages on authentication failure

Basic Information

ID CVE-2026-40945

Source GitHub_M

Published Apr 21, 2026 at 21:16

Affected Product

Vendor oxia-db

Product oxia

Version < 0.16.2

Affected Versions oxia-db oxia < 0.16.2

CWE Classification

CWE-532

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor oxia-db

Product oxia

Version < 0.16.2

References

github.com /oxia-db/oxia/security/advisories/GHSA-pm7q-rjjx-979p

{
    "lastseen": "",
    "description": "Oxia is a metadata store and coordination system. Prior to 0.16.2, when OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system. This vulnerability is fixed in 0.16.2.",
    "published": "2026-04-21T21:16:28.138Z",
    "modified": "2026-04-21T21:16:28.138Z",
    "type": "cve",
    "title": "Oxia: Bearer token exposed in debug log messages on authentication failure",
    "source": "GitHub_M",
    "references": "https://github.com/oxia-db/oxia/security/advisories/GHSA-pm7q-rjjx-979p",
    "id": "CVE-2026-40945",
    "bulletinFamily": "",
    "cwe": [
        "CWE-532"
    ],
    "cvelist": null,
    "sourceData": "oxia-db oxia < 0.16.2",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "oxia",
    "version": "< 0.16.2",
    "vendor": "oxia-db",
    "ai_description": "Bearer token exposed in debug log messages on authentication failure",
    "ai_severity": "High",
    "ai_vendor": "oxia-db",
    "ai_product": "oxia",
    "ai_version": "< 0.16.2",
    "ai_score": 8.7
}

💭 Join the Security Discussion ❌ Cancel Reply