CVE-2026-40945
EPSS 0.07%Oxia exposes bearer token in debug log messages on authentication failure
Description
### Summary When OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system. ### Impact An attacker with access to application logs (e.g., via a compromised log aggregation pipeline, shared logging infrastructure, or misconfigured log access controls) can extract valid JWT tokens and replay them to authenticate as legitimate users. All versions using OIDC authentication are affected. ### Details In `oxiad/common/rpc/auth/interceptor.go`, the `validateTokenWithContext()` function logs the complete token value via `slog.String("token", token)` when authentication fails. This includes the full JWT header, payload, and signature. ### Patches Fixed by redacting the token in log output — only the last 8 characters are preserved for correlation purposes. ### Workarounds Ensure DEBUG-level logging is never enabled in production environments.
Affected packages (1)
- Go/github.com/oxia-db/oxiafrom 0, < 0.16.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |