VYPR

Go modules package

github.com/oxia-db/oxia

pkg:golang/github.com/oxia-db/oxia

Vulnerabilities (4)

  • CVE-2026-40946CriApr 21, 2026
    affected < 0.16.2fixed 0.16.2

    Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience (aud) claim validation at the library level. This allows tokens

  • CVE-2026-40945HigApr 21, 2026
    affected < 0.16.2fixed 0.16.2

    Oxia is a metadata store and coordination system. Prior to 0.16.2, when OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation

  • CVE-2026-40944MedApr 21, 2026
    affected < 0.16.2fixed 0.16.2

    Oxia is a metadata store and coordination system. Prior to 0.16.2, the trustedCertPool() function in the TLS configuration only parses the first PEM block from CA certificate files. When a CA bundle contains multiple certificates (e.g., intermediate + root CA), only the first cer

  • CVE-2026-40943HigApr 21, 2026
    affected < 0.16.2fixed 0.16.2

    Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat() method uses a blocking channel send while holding a mutex, and u