CVE-2026-40946— Oxia: OIDC token audience validation bypass via SkipClientIDCheck

Oxia: OIDC token audience validation bypass via SkipClientIDCheck

Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience (aud) claim validation at the library level. This allows tokens issued for unrelated services by the same OIDC issuer to be accepted by Oxia. This vulnerability is fixed in 0.16.2.

N/A

认证机制不恰当

oxia 授权问题漏洞

oxia是Oxia开源的一个分布式元数据存储与协调系统。 Oxia 0.16.2之前版本存在授权问题漏洞，该漏洞源于OIDC身份验证提供程序无条件地在go-oidc验证器配置中设置SkipClientIDCheck: true，禁用了库级别的标准受众声明验证，可能导致同一OIDC颁发者为无关服务颁发的令牌被Oxia接受。

N/A

N/A