PT-2026-34190 · Oxia · Oxia
Published
2026-04-14
·
Updated
2026-04-26
·
CVE-2026-40946
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Oxia versions prior to 0.16.2
Description
The OIDC authentication provider unconditionally sets
SkipClientIDCheck: true in the go-oidc verifier configuration. This disables the standard audience (aud) claim validation at the library level, allowing tokens issued for unrelated services by the same OIDC issuer to be accepted. Consequently, any JWT from the same issuer can grant full access regardless of the intended audience.Recommendations
Update to version 0.16.2.
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Oxia