Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Oxia logs sensitive authentication tokens on authentication failures
GHSA-pm7q-rjjx-979p
Summary
Oxia exposes authentication tokens in debug logs if debug logging is enabled in production. This allows an attacker with access to logs to steal and reuse user credentials. To fix, ensure debug logging is disabled in production environments or apply the available patch.
What to do
- Update github.com oxia-db to version 0.16.2.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| go | github.com | oxia-db |
<= 0.16.1 Fix: upgrade to 0.16.2
|
Original title
Oxia exposes bearer token in debug log messages on authentication failure
Original description
### Summary
When OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system.
### Impact
An attacker with access to application logs (e.g., via a compromised log aggregation pipeline, shared logging infrastructure, or misconfigured log access controls) can extract valid JWT tokens and replay them to authenticate as legitimate users.
All versions using OIDC authentication are affected.
### Details
In `oxiad/common/rpc/auth/interceptor.go`, the `validateTokenWithContext()` function logs the complete token value via `slog.String("token", token)` when authentication fails. This includes the full JWT header, payload, and signature.
### Patches
Fixed by redacting the token in log output — only the last 8 characters are preserved for correlation purposes.
### Workarounds
Ensure DEBUG-level logging is never enabled in production environments.
When OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system.
### Impact
An attacker with access to application logs (e.g., via a compromised log aggregation pipeline, shared logging infrastructure, or misconfigured log access controls) can extract valid JWT tokens and replay them to authenticate as legitimate users.
All versions using OIDC authentication are affected.
### Details
In `oxiad/common/rpc/auth/interceptor.go`, the `validateTokenWithContext()` function logs the complete token value via `slog.String("token", token)` when authentication fails. This includes the full JWT header, payload, and signature.
### Patches
Fixed by redacting the token in log output — only the last 8 characters are preserved for correlation purposes.
### Workarounds
Ensure DEBUG-level logging is never enabled in production environments.
Vulnerability type
CWE-532
Insertion of Sensitive Information into Log File
Published: 14 Apr 2026 · Updated: 15 Apr 2026 · First seen: 15 Apr 2026