[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-40946":6},{"stargazers_count":4,"fetched_at":5},5,"2026-04-22T10:18:55.356Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":60,"aliases":61,"duplicate_of":9,"upstream":62,"downstream":63,"duplicates":64,"related":65,"reserved_at":9,"published_at":66,"modified_at":66,"state":67,"summary":68,"references_raw":75,"kevs":82,"epss":9,"epss_history":83,"metrics":84,"affected":91},"CVE-2026-40946","Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience (aud) claim validation at the library level. This allows tokens issued for unrelated services by the same OIDC issuer to be accepted by Oxia. This vulnerability is fixed in 0.16.2.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-287","Improper Authentication","When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.","weakness","Draft","Class","High",[20,24,28,32,36,40,44,48,52,56],{"id":21,"name":22,"techniques":23},"CAPEC-114","Authentication Abuse",[],{"id":25,"name":26,"techniques":27},"CAPEC-115","Authentication Bypass",[],{"id":29,"name":30,"techniques":31},"CAPEC-151","Identity Spoofing",[],{"id":33,"name":34,"techniques":35},"CAPEC-194","Fake the Source of Data",[],{"id":37,"name":38,"techniques":39},"CAPEC-22","Exploiting Trust in Client",[],{"id":41,"name":42,"techniques":43},"CAPEC-57","Utilizing REST's Trust in the System Resource to Obtain Sensitive Data",[],{"id":45,"name":46,"techniques":47},"CAPEC-593","Session Hijacking",[],{"id":49,"name":50,"techniques":51},"CAPEC-633","Token Impersonation",[],{"id":53,"name":54,"techniques":55},"CAPEC-650","Upload a Web Shell to a Web Server",[],{"id":57,"name":58,"techniques":59},"CAPEC-94","Adversary in the Middle (AiTM)",[],[],[],[],[],[],[],"2026-04-21T21:18:12.103Z","Received",{"cisa_kev":69,"cisa_ransomware":69,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":70,"severity_score":71,"severity_version":72,"severity_source":73,"severity_vector":74,"severity_status":67},false,"critical",9.2,"v4.0","cve.org","CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",[76],{"url":77,"sources":78,"tags":80},"https://github.com/oxia-db/oxia/security/advisories/GHSA-fhvp-9hcj-6m33",[73,79],"nvd",[81],"X Refsource CONFIRM",[],[],[85,88],{"source":73,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":86},{"baseScore":71,"baseSeverity":87,"vectorString":74,"impactScore":9,"exploitabilityScore":9},"CRITICAL",{"source":79,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":89},{"baseScore":71,"baseSeverity":87,"vectorString":90,"impactScore":9,"exploitabilityScore":9},"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",[92],{"ecosystem":9,"name":93,"vendor":94,"product":93,"cpe_part":95,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":96},"oxia","oxia-db","a",[97],{"version":98,"is_range":99,"range_type":73,"version_start":9,"version_start_type":9,"version_end":100,"version_end_type":101,"fixed_in":9},"\u003C 0.16.2",true,"0.16.2","excluding"]