CVE-2026-40945
Received Received - Intake
Sensitive Token Exposure via Debug Logging in Oxia Metadata Store

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
Oxia is a metadata store and coordination system. Prior to 0.16.2, when OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system. This vulnerability is fixed in 0.16.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40945
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
oxia metadata_store to 0.16.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Oxia, a metadata store and coordination system. Before version 0.16.2, when OIDC authentication fails, the full bearer token (a JWT token) is logged in plaintext at the DEBUG logging level.

If debug logging is enabled in a production environment, these sensitive tokens are exposed in application logs and any connected log aggregation systems, potentially allowing unauthorized access to sensitive authentication tokens.

This issue was fixed in version 0.16.2 of Oxia.

Compliance Impact

This vulnerability causes full bearer tokens (JWT tokens) to be logged in plaintext at the DEBUG level when OIDC authentication fails, if debug logging is enabled in production.

Exposing sensitive authentication tokens in logs can lead to unauthorized access if logs are accessed by malicious actors or improperly secured.

Such exposure may violate data protection and privacy requirements in common standards and regulations like GDPR and HIPAA, which mandate protection of sensitive authentication credentials and personal data.

Therefore, this vulnerability can negatively impact compliance by increasing the risk of unauthorized disclosure of sensitive authentication information.

Impact Analysis

The vulnerability can lead to exposure of sensitive bearer tokens in logs if debug logging is enabled in production.

Attackers or unauthorized users who gain access to these logs or connected log aggregation systems could retrieve these tokens and potentially impersonate users or gain unauthorized access to systems protected by these tokens.

This can result in security breaches, data leaks, and unauthorized actions within the affected environment.

Detection Guidance

This vulnerability can be detected by checking if the Oxia metadata store is running a version prior to 0.16.2 and if debug logging is enabled in production environments.

You can look for logs that contain full bearer tokens in plaintext at the DEBUG logging level, which indicates exposure of JWT tokens.

Since no specific commands are provided in the available information, a general approach would be to search application logs for patterns resembling JWT tokens when debug logging is enabled.

Mitigation Strategies

The immediate mitigation step is to upgrade Oxia to version 0.16.2 or later, where this vulnerability is fixed.

Additionally, avoid enabling debug logging in production environments to prevent exposure of sensitive bearer tokens in logs.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40945. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart