CVE-2026-40946 CRITICAL

CVE-2026-40946: Oxia: OIDC token audience validation bypass via SkipClientIDCheck

Vendor Oxia-Db
Product oxia
Weakness CWE-287 · Improper authentication
Published April 21, 2026
Last update April 22, 2026

CVSS base score

9.2/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience (aud) claim validation at the library level. This allows tokens issued for unrelated services by the same OIDC issuer to be accepted by Oxia. This vulnerability is fixed in 0.16.2.

Key dates

02Disclosure timeline

April 21, 2026 CVE published
April 22, 2026 Record updated