Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Oxia exposes sensitive authentication tokens in debug logs
GHSA-pm7q-rjjx-979p
Summary
When debug logging is enabled in production, Oxia logs authentication tokens in plain text, allowing an attacker to steal them and impersonate users. Affected versions of Oxia using OIDC authentication are at risk. To fix, apply the patch or ensure that debug logging is never enabled in production.
What to do
- Update oxia-db github.com/oxia-db/oxia to version 0.16.2.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Go | oxia-db | github.com/oxia-db/oxia |
< 0.16.2 Fix: upgrade to 0.16.2
|
Original title
Oxia exposes bearer token in debug log messages on authentication failure
Original description
### Summary
When OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system.
### Impact
An attacker with access to application logs (e.g., via a compromised log aggregation pipeline, shared logging infrastructure, or misconfigured log access controls) can extract valid JWT tokens and replay them to authenticate as legitimate users.
All versions using OIDC authentication are affected.
### Details
In `oxiad/common/rpc/auth/interceptor.go`, the `validateTokenWithContext()` function logs the complete token value via `slog.String("token", token)` when authentication fails. This includes the full JWT header, payload, and signature.
### Patches
Fixed by redacting the token in log output — only the last 8 characters are preserved for correlation purposes.
### Workarounds
Ensure DEBUG-level logging is never enabled in production environments.
When OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system.
### Impact
An attacker with access to application logs (e.g., via a compromised log aggregation pipeline, shared logging infrastructure, or misconfigured log access controls) can extract valid JWT tokens and replay them to authenticate as legitimate users.
All versions using OIDC authentication are affected.
### Details
In `oxiad/common/rpc/auth/interceptor.go`, the `validateTokenWithContext()` function logs the complete token value via `slog.String("token", token)` when authentication fails. This includes the full JWT header, payload, and signature.
### Patches
Fixed by redacting the token in log output — only the last 8 characters are preserved for correlation purposes.
### Workarounds
Ensure DEBUG-level logging is never enabled in production environments.
Vulnerability type
CWE-532
Insertion of Sensitive Information into Log File
Published: 14 Apr 2026 · Updated: 15 Apr 2026 · First seen: 15 Apr 2026