GHSA-PM7Q-RJJX-979P
Vulnerability from github – Published: 2026-04-14 23:14 – Updated: 2026-04-14 23:14Summary
When OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system.
Impact
An attacker with access to application logs (e.g., via a compromised log aggregation pipeline, shared logging infrastructure, or misconfigured log access controls) can extract valid JWT tokens and replay them to authenticate as legitimate users.
All versions using OIDC authentication are affected.
Details
In oxiad/common/rpc/auth/interceptor.go, the validateTokenWithContext() function logs the complete token value via slog.String("token", token) when authentication fails. This includes the full JWT header, payload, and signature.
Patches
Fixed by redacting the token in log output — only the last 8 characters are preserved for correlation purposes.
Workarounds
Ensure DEBUG-level logging is never enabled in production environments.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.16.1"
},
"package": {
"ecosystem": "Go",
"name": "github.com/oxia-db/oxia"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.16.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-14T23:14:38Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nWhen OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system.\n\n### Impact\nAn attacker with access to application logs (e.g., via a compromised log aggregation pipeline, shared logging infrastructure, or misconfigured log access controls) can extract valid JWT tokens and replay them to authenticate as legitimate users.\n\nAll versions using OIDC authentication are affected.\n\n### Details\nIn `oxiad/common/rpc/auth/interceptor.go`, the `validateTokenWithContext()` function logs the complete token value via `slog.String(\"token\", token)` when authentication fails. This includes the full JWT header, payload, and signature.\n\n### Patches\nFixed by redacting the token in log output \u2014 only the last 8 characters are preserved for correlation purposes.\n\n### Workarounds\nEnsure DEBUG-level logging is never enabled in production environments.",
"id": "GHSA-pm7q-rjjx-979p",
"modified": "2026-04-14T23:14:38Z",
"published": "2026-04-14T23:14:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/oxia-db/oxia/security/advisories/GHSA-pm7q-rjjx-979p"
},
{
"type": "WEB",
"url": "https://github.com/oxia-db/oxia/commit/f7259d0ebc739fc95ff19f93c823433850857416"
},
{
"type": "PACKAGE",
"url": "https://github.com/oxia-db/oxia"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Oxia exposes bearer token in debug log messages on authentication failure"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.