CVE-2026-40944
Received Received - Intake

Certificate Chain Validation Bypass in Oxia TLS Configuration

Vulnerability report for CVE-2026-40944, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description

Oxia is a metadata store and coordination system. Prior to 0.16.2, the trustedCertPool() function in the TLS configuration only parses the first PEM block from CA certificate files. When a CA bundle contains multiple certificates (e.g., intermediate + root CA), only the first certificate is loaded. This silently breaks certificate chain validation for mTLS. This vulnerability is fixed in 0.16.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-07-06
AI Q&A
2026-04-22
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
oxia metadata_store to 0.16.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Oxia, a metadata store and coordination system, in versions prior to 0.16.2. The issue is in the trustedCertPool() function used in the TLS configuration, which only parses the first PEM block from CA certificate files. When a CA bundle contains multiple certificates, such as intermediate and root CA certificates, only the first certificate is loaded. This causes the certificate chain validation for mutual TLS (mTLS) to silently fail.

Impact Analysis

Because only the first certificate in a CA bundle is loaded, the certificate chain validation for mTLS is broken. This means that the system may incorrectly trust or reject certificates during TLS handshakes, potentially allowing unauthorized access or causing legitimate connections to fail. This undermines the security guarantees of mTLS, which relies on proper certificate chain validation to authenticate parties.

Mitigation Strategies

To mitigate this vulnerability, upgrade Oxia to version 0.16.2 or later, where the trustedCertPool() function correctly parses all PEM blocks in CA certificate files, ensuring proper certificate chain validation for mTLS.

Compliance Impact

This vulnerability causes the trustedCertPool() function to only parse the first PEM block from CA certificate files, which breaks certificate chain validation for mutual TLS (mTLS).

Since mTLS is used to ensure secure and authenticated communication, this flaw could weaken the security posture of systems relying on Oxia, potentially impacting compliance with standards and regulations that require strong encryption and authentication mechanisms, such as GDPR and HIPAA.

However, the provided information does not explicitly describe the direct impact on compliance with these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40944. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart