CVE-2026-40945
Oxia exposes bearer token in debug log messages on authentication failure
描述
### Summary When OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system. ### Impact An attacker with access to application logs (e.g., via a compromised log aggregation pipeline, shared logging infrastructure, or misconfigured log access controls) can extract valid JWT tokens and replay them to authenticate as legitimate users. All versions using OIDC authentication are affected. ### Details In `oxiad/common/rpc/auth/interceptor.go`, the `validateTokenWithContext()` function logs the complete token value via `slog.String("token", token)` when authentication fails. This includes the full JWT header, payload, and signature. ### Patches Fixed by redacting the token in log output — only the last 8 characters are preserved for correlation purposes. ### Workarounds Ensure DEBUG-level logging is never enabled in production environments.
如何修補 CVE-2026-40945
要修補 CVE-2026-40945,請將受影響套件升級到下列已修補版本。
- —升級至 0.16.2 或更新版本
CVE-2026-40945 正在被利用嗎?
低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 0.16.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |