High severityNVD Advisory· Published Apr 21, 2026· Updated Apr 22, 2026

CVE-2026-40945

Description

Oxia is a metadata store and coordination system. Prior to 0.16.2, when OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system. This vulnerability is fixed in 0.16.2.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/oxia-db/oxiaGo	< 0.16.2	0.16.2

Patches

f7259d0ebc73

security: redact bearer tokens in debug log messages (#1025)

https://github.com/oxia-db/oxiaMatteo MerliApr 13, 2026via ghsa

commit

2 files changed · +58 −1

oxiad/common/rpc/auth/interceptor.go+14 −1 modified

@@ -98,8 +98,21 @@ func validateTokenWithContext(ctx context.Context, provider AuthenticationProvid
 	if userName, err = provider.Authenticate(ctx, token); err != nil {
 		slog.Debug("Failed to authenticate token",
 			slog.String("peer", peerMeta.Addr.String()),
-			slog.String("token", token))
+			slog.String("token", redactToken(token)))
 		return "", err
 	}
 	return userName, nil
 }
+
+// redactToken returns a redacted version of a token for safe logging.
+// For tokens longer than 8 characters, at most the last 8 characters are
+// preserved and the rest is replaced with "[REDACTED]". Tokens of 8 characters
+// or fewer are fully redacted to "[REDACTED]".
+func redactToken(token string) string {
+	const suffixLen = 8
+	const prefix = "[REDACTED]"
+	if len(token) <= suffixLen {
+		return prefix
+	}
+	return prefix + token[len(token)-suffixLen:]
+}

oxiad/common/rpc/auth/interceptor_test.go+44 −0 added

@@ -0,0 +1,44 @@
+// Copyright 2023-2025 The Oxia Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package auth
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestRedactToken(t *testing.T) {
+	tests := []struct {
+		name     string
+		token    string
+		expected string
+	}{
+		{"empty", "", "[REDACTED]"},
+		{"short", "abc", "[REDACTED]"},
+		{"exactly8", "12345678", "[REDACTED]"},
+		{"9chars", "123456789", "[REDACTED]23456789"},
+		{"starts with redaction prefix", "[REDACTED]123456789", "[REDACTED]23456789"},
+		{"long token", "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.payload.signature", "[REDACTED]ignature"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := redactToken(tt.token)
+			assert.Equal(t, tt.expected, result)
+			// Ensure the redacted output never equals the original token
+			assert.NotEqual(t, tt.token, result, "redacted output must differ from original token")
+		})
+	}
+}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-pm7q-rjjx-979pghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-40945ghsaADVISORY
github.com/oxia-db/oxia/commit/f7259d0ebc739fc95ff19f93c823433850857416ghsaWEB
github.com/oxia-db/oxia/security/advisories/GHSA-pm7q-rjjx-979pnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000