External risk intelligence

Oxia may accept invalid tokens allowing unauthorized access to your data.

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-40946

An internal attacker can bypass Oxia security by reusing tokens from other services to gain unauthorized access. This puts critical business data at risk of exposure or modification and could cause major operational disruptions.

2Halo Surface Signal

Authentication Bypass

External exposure likelihood

Halo Surface Signal score for CVE-2026-40946

Oxia is a metadata store and coordination system typically deployed as internal backend infrastructure. While the authentication interface can be reached if misconfigured or exposed, such services are not standardly designed for direct public internet access in typical real-world deployments.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

An issue exists in Oxia, a metadata store and coordination system, that allows authentication tokens for unrelated services to be accepted. This happens because a specific security check related to token validation is bypassed. This means unauthorized access could be granted to sensitive data and system functions.

  • Allows tokens from other services.
  • Potentially exposes sensitive data.
  • Needs careful configuration review.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this flaw by forging a JSON Web Token (JWT) to impersonate a legitimate user or service. If Oxia's OIDC authentication is misconfigured or exposed, an attacker could craft a token signed by any OIDC issuer, bypassing audience validation and gaining unauthorized access to sensitive data or system functions.

  • No authentication required.
  • Target Oxia's OIDC endpoint.
  • Valid OIDC issuer present.

Live Threat

Current exploitation, exposure, and threat context

Attackers may find this vulnerability less appealing due to Oxia's typical role as internal infrastructure. While an attacker could potentially exploit this to impersonate users or gain unauthorized access if the OIDC provider is misconfigured or exposed, the complexity and limited direct public exposure of such systems generally deter mass exploitation. This means it's more likely to be targeted in highly specific or persistent attacks rather than widespread campaigns.

  • Unlikely to be a KEV candidate.
  • No readily available public exploit.
  • Primarily an internal systems concern.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize securing Oxia instances by updating to version 0.16.2 or later to patch the OIDC audience validation flaw. If immediate patching is not feasible, analyze network traffic for anomalous OIDC token usage and consider temporarily disabling the OIDC authentication provider.

  • Update Oxia to version 0.16.2.
  • Monitor for unauthorized token usage.
  • Isolate Oxia if suspicious activity is detected.

Frequently asked questions

What is Oxia and what is it used for?

Oxia is a scalable metadata store and coordination system used as core infrastructure for large-scale distributed systems. It provides functionalities similar to systems like Apache ZooKeeper and etcd, including service discovery, leader election, and distributed locks, and can store large amounts of metadata.

What is the weakness in CVE-2026-40946 for Oxia?

CVE-2026-40946 is an authentication bypass vulnerability. The OIDC authentication provider in Oxia versions prior to 0.16.2 incorrectly configures the OIDC verifier to always skip client ID checks. This means tokens issued for other services by the same OIDC issuer can be accepted by Oxia, bypassing standard security validation.

How can an attacker exploit this Oxia vulnerability?

An attacker can exploit this by using a valid JWT token that was issued for a different service by the same OIDC provider. Because Oxia's audience claim validation is disabled, it will accept this token, allowing the attacker to authenticate as if they were a legitimate user or service.

Who needs to care about this Oxia security issue?

Organizations running Oxia, especially those using its OIDC authentication provider, should care. This vulnerability is classified as 'external' due to the network attack vector, meaning it could be reached if Oxia's authentication interface is exposed to the internet or improperly secured.

What is the first step to address CVE-2026-40946 in Oxia?

The primary step is to update Oxia to version 0.16.2 or a later version, which contains the fix for this vulnerability. If immediate patching is not possible, consider network-level isolation to restrict access to Oxia's gRPC endpoints.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified