CVE-2026-40945: Oxia exposes bearer token in debug log messages on authentication failure

April 14, 2026 (updated April 24, 2026)

When OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system.

References

github.com/advisories/GHSA-pm7q-rjjx-979p
github.com/oxia-db/oxia
github.com/oxia-db/oxia/commit/f7259d0ebc739fc95ff19f93c823433850857416
github.com/oxia-db/oxia/security/advisories/GHSA-pm7q-rjjx-979p
nvd.nist.gov/vuln/detail/CVE-2026-40945

Code Behaviors & Features

Detect and mitigate CVE-2026-40945 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →