Auth bypass in Oxia-db Oxia

CVE-2026-40946

Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience (aud) claim validation…

Vulnerability class: Broken Authentication

EPSS: 0.001 (21.1th percentile) — read the EPSS interpretation.

Affected products

Oxia-db Oxia — versions < 0.16.2

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

https://github.com/oxia-db/oxia/security/advisories/GHSA-fhvp-9hcj-6m33 (x_refsource_CONFIRM)