PT-2026-34188 · Oxia · Oxia
Published
2026-04-14
·
Updated
2026-04-26
·
CVE-2026-40944
CVSS v4.0
8.0
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U |
Name of the Vulnerable Software and Affected Versions
Oxia versions prior to 0.16.2
Description
The
trustedCertPool() function in the TLS configuration only parses the first PEM block from CA certificate files. When a CA bundle contains multiple certificates, such as an intermediate and a root CA, only the first certificate is loaded, which silently breaks certificate chain validation for mutual TLS (mTLS), a process where both the client and server authenticate each other using certificates.Recommendations
Update to version 0.16.2.
Fix
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Oxia