CVE-2026-40946
Received Received - Intake
OIDC Audience Validation Bypass in Oxia Metadata Store

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience (aud) claim validation at the library level. This allows tokens issued for unrelated services by the same OIDC issuer to be accepted by Oxia. This vulnerability is fixed in 0.16.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40946
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
oxia oxia to 0.16.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Oxia, a metadata store and coordination system, specifically in versions prior to 0.16.2. The issue is that the OIDC authentication provider sets SkipClientIDCheck to true in the go-oidc verifier configuration. This disables the standard audience (aud) claim validation at the library level, which means that tokens issued for unrelated services by the same OIDC issuer can be accepted by Oxia.

Impact Analysis

Because the audience claim validation is disabled, Oxia may accept authentication tokens that were not intended for it but were issued for other services by the same OIDC issuer. This can allow unauthorized access to Oxia, potentially leading to security breaches where attackers use tokens meant for other services to gain access.

Mitigation Strategies

To mitigate this vulnerability, upgrade Oxia to version 0.16.2 or later, where the issue with the OIDC authentication provider unconditionally setting SkipClientIDCheck to true is fixed.

Compliance Impact

This vulnerability allows Oxia to accept tokens issued for unrelated services by the same OIDC issuer due to disabled audience claim validation. This could lead to unauthorized access to sensitive data or systems.

Such unauthorized access risks violating compliance requirements in standards and regulations like GDPR and HIPAA, which mandate strict access controls and protection of personal and sensitive data.

Therefore, until fixed (in version 0.16.2), this vulnerability may negatively impact compliance with these regulations by undermining authentication integrity and access control.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40946. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart