Description
Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience (aud) claim validation at the library level. This allows tokens issued for unrelated services by the same OIDC issuer to be accepted by Oxia. This vulnerability is fixed in 0.16.2.
Published: 2026-04-21
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass via Unvalidated OIDC Audience
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in Oxia’s OIDC authentication provider allows the SkipClientIDCheck flag to be set to true, effectively disabling audience claim validation. This means any token issued by the same OIDC issuer for unrelated services can be accepted by Oxia, permitting an attacker to impersonate legitimate users or services and gain unauthorized access. The identified weakness corresponds to CWE‑287, which concerns authentication bypass by failing to verify identity information properly.

Affected Systems

Oxia installations from versions prior to 0.16.2 are affected. The product is the Oxia metadata store and coordination system provided by oxia-db:oxia. Users running any older minor release that has not incorporated the 0.16.2 update are vulnerable.

Risk and Exploitability

With a CVSS score of 9.2, this issue is considered of high severity. EPSS data is not available, but the vulnerability is not yet listed in CISA KEV. The likely attack vector is remote, where an adversary obtains or forges an OIDC token from the same issuer and presents it to Oxia. Because the standard audience check is bypassed, such a token would be accepted without further validation, enabling elevation of privilege or unauthorized access to the datastore.

Generated by OpenCVE AI on April 22, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Oxia to version 0.16.2 or later, where the SkipClientIDCheck flag is removed and audience claim validation is enforced.
  • Ensure that your OIDC provider issues tokens with the correct audience claim that matches Oxia’s client identifier and validate this claim during authentication.
  • If custom verifier configuration is used, explicitly disable SkipClientIDCheck or remove any configuration that overrides the default audience validation logic.

Generated by OpenCVE AI on April 22, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Oxia-db
Oxia-db oxia
Vendors & Products Oxia-db
Oxia-db oxia

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience (aud) claim validation at the library level. This allows tokens issued for unrelated services by the same OIDC issuer to be accepted by Oxia. This vulnerability is fixed in 0.16.2.
Title Oxia: OIDC token audience validation bypass via SkipClientIDCheck
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Oxia-db Oxia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T18:11:23.671Z

Reserved: 2026-04-15T20:40:15.519Z

Link: CVE-2026-40946

cve-icon Vulnrichment

Updated: 2026-04-22T18:09:07.615Z

cve-icon NVD

Status : Deferred

Published: 2026-04-21T22:16:20.230

Modified: 2026-04-22T20:28:12.780

Link: CVE-2026-40946

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:44:57Z

Weaknesses