Description
Oxia is a metadata store and coordination system. Prior to 0.16.2, when OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system. This vulnerability is fixed in 0.16.2.
Published: 2026-04-21
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

Oxia versions prior to 0.16.2 log the full bearer token used for OpenID Connect authentication when the authentication fails. Because this information is written to the application debug log in plaintext, any system that collects logs—including remote log aggregation services—may inadvertently expose JWT tokens. If an attacker obtains a valid bearer token from these logs, they could impersonate the user and access protected resources without authorization, leading to potential compromise of data confidentiality and integrity. The weakness is identified as CWE-532, a flaw in data privacy and log handling.

Affected Systems

The vulnerability affects the Oxia metadata store and coordination system, specifically the oxia-db:oxia product. Versions up to and including 0.16.1 are susceptible; the fix is included in 0.16.2 and later releases.

Risk and Exploitability

The CVSS score of 8.7 classifies this exposure as a high severity issue. While the EPSS score is not supplied, the lack of a public exploit in KEV suggests low to moderate exploitation probability at present, yet the critical nature of token leakage warrants immediate attention. If debug logging is enabled in a production environment, the attack vector is likely through an OIDC authentication attempt that fails, causing the token to be inadvertently recorded. Thus, the primary risk is token disclosure that could enable unauthorized actions.

Generated by OpenCVE AI on April 22, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Oxia to version 0.16.2 or later, which removes the bearer token from debug logs on authentication failure.
  • If an upgrade is not immediately possible, disable or reduce debug‑level logging for the authentication module to prevent bearer tokens from being recorded.
  • Ensure that any log aggregation or monitoring system excludes or redacts sensitive log entries that may contain authentication tokens, adding a filtering step before storage or forwarding.

Generated by OpenCVE AI on April 22, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Oxia-db
Oxia-db oxia
Vendors & Products Oxia-db
Oxia-db oxia

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Oxia is a metadata store and coordination system. Prior to 0.16.2, when OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system. This vulnerability is fixed in 0.16.2.
Title Oxia: Bearer token exposed in debug log messages on authentication failure
Weaknesses CWE-532
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Oxia-db Oxia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T17:44:37.673Z

Reserved: 2026-04-15T20:40:15.519Z

Link: CVE-2026-40945

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-21T22:16:20.107

Modified: 2026-04-21T22:16:20.107

Link: CVE-2026-40945

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:44:58Z

Weaknesses