CVE-2026-40944
Received Received - Intake
Certificate Chain Validation Bypass in Oxia TLS Configuration

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
Oxia is a metadata store and coordination system. Prior to 0.16.2, the trustedCertPool() function in the TLS configuration only parses the first PEM block from CA certificate files. When a CA bundle contains multiple certificates (e.g., intermediate + root CA), only the first certificate is loaded. This silently breaks certificate chain validation for mTLS. This vulnerability is fixed in 0.16.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-05-07
AI Q&A
2026-04-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-40944
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
oxia metadata_store to 0.16.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Oxia, a metadata store and coordination system, in versions prior to 0.16.2. The issue is in the trustedCertPool() function used in the TLS configuration, which only parses the first PEM block from CA certificate files. When a CA bundle contains multiple certificates, such as intermediate and root CA certificates, only the first certificate is loaded. This causes the certificate chain validation for mutual TLS (mTLS) to silently fail.


How can this vulnerability impact me? :

Because only the first certificate in a CA bundle is loaded, the certificate chain validation for mTLS is broken. This means that the system may incorrectly trust or reject certificates during TLS handshakes, potentially allowing unauthorized access or causing legitimate connections to fail. This undermines the security guarantees of mTLS, which relies on proper certificate chain validation to authenticate parties.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Oxia to version 0.16.2 or later, where the trustedCertPool() function correctly parses all PEM blocks in CA certificate files, ensuring proper certificate chain validation for mTLS.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability causes the trustedCertPool() function to only parse the first PEM block from CA certificate files, which breaks certificate chain validation for mutual TLS (mTLS).

Since mTLS is used to ensure secure and authenticated communication, this flaw could weaken the security posture of systems relying on Oxia, potentially impacting compliance with standards and regulations that require strong encryption and authentication mechanisms, such as GDPR and HIPAA.

However, the provided information does not explicitly describe the direct impact on compliance with these regulations.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart