{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40945", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T20:40:15.519Z", "datePublished": "2026-04-21T21:16:28.138Z", "dateUpdated": "2026-04-21T21:16:28.138Z"}, "containers": {"cna": {"title": "Oxia: Bearer token exposed in debug log messages on authentication failure", "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "lang": "en", "description": "CWE-532: Insertion of Sensitive Information into Log File", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/oxia-db/oxia/security/advisories/GHSA-pm7q-rjjx-979p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/oxia-db/oxia/security/advisories/GHSA-pm7q-rjjx-979p"}], "affected": [{"vendor": "oxia-db", "product": "oxia", "versions": [{"version": "< 0.16.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T21:16:28.138Z"}, "descriptions": [{"lang": "en", "value": "Oxia is a metadata store and coordination system. Prior to 0.16.2, when OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system. This vulnerability is fixed in 0.16.2."}], "source": {"advisory": "GHSA-pm7q-rjjx-979p", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Oxia is a metadata store and coordination system. Prior to 0.16.2, when OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system. This vulnerability is fixed in 0.16.2."}], "id": "CVE-2026-40945", "lastModified": "2026-04-21T22:16:20.107", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T22:16:20.107", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/oxia-db/oxia/security/advisories/GHSA-pm7q-rjjx-979p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T06:20:50.734264+00:00", "value": {"mitigation_remediation": ["Upgrade Oxia to version\u00a00.16.2\u00a0or later, which removes the bearer token from debug logs on authentication failure.", "If an upgrade is not immediately possible, disable or reduce debug\u2011level logging for the authentication module to prevent bearer tokens from being recorded.", "Ensure that any log aggregation or monitoring system excludes or redacts sensitive log entries that may contain authentication tokens, adding a filtering step before storage or forwarding."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Oxia metadata store and coordination system, specifically the oxia-db:oxia product. Versions up to and including 0.16.1 are susceptible; the fix is included in 0.16.2 and later releases.", "description_and_impact": "Oxia versions prior to 0.16.2 log the full bearer token used for OpenID Connect authentication when the authentication fails. Because this information is written to the application debug log in plaintext, any system that collects logs\u2014including remote log aggregation services\u2014may inadvertently expose JWT tokens. If an attacker obtains a valid bearer token from these logs, they could impersonate the user and access protected resources without authorization, leading to potential compromise of data confidentiality and integrity. The weakness is identified as CWE-532, a flaw in data privacy and log handling.", "risk_and_exploitability": "The CVSS score of 8.7 classifies this exposure as a high severity issue. While the EPSS score is not supplied, the lack of a public exploit in KEV suggests low to moderate exploitation probability at present, yet the critical nature of token leakage warrants immediate attention. If debug logging is enabled in a production environment, the attack vector is likely through an OIDC authentication attempt that fails, causing the token to be inadvertently recorded. Thus, the primary risk is token disclosure that could enable unauthorized actions.\n"}}}}, "created": "2026-04-22T04:45:09.347763+00:00", "updated": "2026-04-22T06:30:10.670943+00:00", "vendors": []}