CVE-2026-40945
Sensitive Token Exposure via Debug Logging in Oxia Metadata Store
Publication date: 2026-04-21
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oxia | metadata_store | to 0.16.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-532 | The product writes sensitive information to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Oxia, a metadata store and coordination system. Before version 0.16.2, when OIDC authentication fails, the full bearer token (a JWT token) is logged in plaintext at the DEBUG logging level.
If debug logging is enabled in a production environment, these sensitive tokens are exposed in application logs and any connected log aggregation systems, potentially allowing unauthorized access to sensitive authentication tokens.
This issue was fixed in version 0.16.2 of Oxia.
How can this vulnerability impact me? :
The vulnerability can lead to exposure of sensitive bearer tokens in logs if debug logging is enabled in production.
Attackers or unauthorized users who gain access to these logs or connected log aggregation systems could retrieve these tokens and potentially impersonate users or gain unauthorized access to systems protected by these tokens.
This can result in security breaches, data leaks, and unauthorized actions within the affected environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Oxia metadata store is running a version prior to 0.16.2 and if debug logging is enabled in production environments.
You can look for logs that contain full bearer tokens in plaintext at the DEBUG logging level, which indicates exposure of JWT tokens.
Since no specific commands are provided in the available information, a general approach would be to search application logs for patterns resembling JWT tokens when debug logging is enabled.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Oxia to version 0.16.2 or later, where this vulnerability is fixed.
Additionally, avoid enabling debug logging in production environments to prevent exposure of sensitive bearer tokens in logs.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes full bearer tokens (JWT tokens) to be logged in plaintext at the DEBUG level when OIDC authentication fails, if debug logging is enabled in production.
Exposing sensitive authentication tokens in logs can lead to unauthorized access if logs are accessed by malicious actors or improperly secured.
Such exposure may violate data protection and privacy requirements in common standards and regulations like GDPR and HIPAA, which mandate protection of sensitive authentication credentials and personal data.
Therefore, this vulnerability can negatively impact compliance by increasing the risk of unauthorized disclosure of sensitive authentication information.