GHSA-pm7q-rjjx-979p: Oxia exposes bearer token in debug log messages on authentication failure

April 14, 2026

When OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system.

References

github.com/advisories/GHSA-pm7q-rjjx-979p
github.com/oxia-db/oxia
github.com/oxia-db/oxia/commit/f7259d0ebc739fc95ff19f93c823433850857416
github.com/oxia-db/oxia/security/advisories/GHSA-pm7q-rjjx-979p

Code Behaviors & Features

Detect and mitigate GHSA-pm7q-rjjx-979p with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →