Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

oxia

Source -

CNA

CNA CVEs -

4

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
4Vulnerabilities found
CVE-2026-40946
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-9.2||CRITICAL
EPSS-0.05% / 15.33%
||
7 Day CHG~0.00%
Published-21 Apr, 2026 | 21:18
Updated-22 Apr, 2026 | 20:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Oxia: OIDC token audience validation bypass via SkipClientIDCheck

Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience (aud) claim validation at the library level. This allows tokens issued for unrelated services by the same OIDC issuer to be accepted by Oxia. This vulnerability is fixed in 0.16.2.

Action-Not Available
Vendor-oxia-db
Product-oxia
CWE ID-CWE-287
Improper Authentication
CVE-2026-40945
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.05% / 15.33%
||
7 Day CHG~0.00%
Published-21 Apr, 2026 | 21:16
Updated-22 Apr, 2026 | 20:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Oxia: Bearer token exposed in debug log messages on authentication failure

Oxia is a metadata store and coordination system. Prior to 0.16.2, when OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system. This vulnerability is fixed in 0.16.2.

Action-Not Available
Vendor-oxia-db
Product-oxia
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2026-40944
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.02% / 6.44%
||
7 Day CHG~0.00%
Published-21 Apr, 2026 | 21:14
Updated-22 Apr, 2026 | 20:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Oxia: TLS CA certificate chain validation fails with multi-certificate PEM bundles

Oxia is a metadata store and coordination system. Prior to 0.16.2, the trustedCertPool() function in the TLS configuration only parses the first PEM block from CA certificate files. When a CA bundle contains multiple certificates (e.g., intermediate + root CA), only the first certificate is loaded. This silently breaks certificate chain validation for mTLS. This vulnerability is fixed in 0.16.2.

Action-Not Available
Vendor-oxia-db
Product-oxia
CWE ID-CWE-295
Improper Certificate Validation
CVE-2026-40943
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.04% / 11.36%
||
7 Day CHG~0.00%
Published-21 Apr, 2026 | 21:13
Updated-22 Apr, 2026 | 20:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Oxia: Server crash via race condition in session heartbeat handling

Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat() method uses a blocking channel send while holding a mutex, and under specific timing with concurrent close() calls, this can lead to either a deadlock (channel buffer full) or a panic (send on closed channel after TOCTOU gap in KeepAlive). This vulnerability is fixed in 0.16.2.

Action-Not Available
Vendor-oxia-db
Product-oxia
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')