CVE-2026-40946: Oxia has an OIDC token audience validation bypass via SkipClientIDCheck

April 14, 2026 (updated April 24, 2026)

The OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience (aud) claim validation at the library level. This allows tokens issued for unrelated services by the same OIDC issuer to be accepted by Oxia.

References

github.com/advisories/GHSA-fhvp-9hcj-6m33
github.com/oxia-db/oxia
github.com/oxia-db/oxia/security/advisories/GHSA-fhvp-9hcj-6m33
nvd.nist.gov/vuln/detail/CVE-2026-40946

Code Behaviors & Features

Detect and mitigate CVE-2026-40946 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →