CVE-2026-40945
Oxia exposes bearer token in debug log messages on authentication failure
Description
### Summary When OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system. ### Impact An attacker with access to application logs (e.g., via a compromised log aggregation pipeline, shared logging infrastructure, or misconfigured log access controls) can extract valid JWT tokens and replay them to authenticate as legitimate users. All versions using OIDC authentication are affected. ### Details In `oxiad/common/rpc/auth/interceptor.go`, the `validateTokenWithContext()` function logs the complete token value via `slog.String("token", token)` when authentication fails. This includes the full JWT header, payload, and signature. ### Patches Fixed by redacting the token in log output — only the last 8 characters are preserved for correlation purposes. ### Workarounds Ensure DEBUG-level logging is never enabled in production environments.
How to fix CVE-2026-40945
To remediate CVE-2026-40945, upgrade the affected package to a fixed version below.
- —upgrade to 0.16.2 or later
Is CVE-2026-40945 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 0.16.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |