Back to search
CVE-2026-40944
Published: Apr 21, 2026
Modified: Apr 22, 2026
PUBLISHED
Description
Oxia is a metadata store and coordination system. Prior to 0.16.2, the trustedCertPool() function in the TLS configuration only parses the first PEM block from CA certificate files. When a CA bundle contains multiple certificates (e.g., intermediate + root CA), only the first certificate is loaded. This silently breaks certificate chain validation for mTLS. This vulnerability is fixed in 0.16.2.
| Vendor | Product | Versions |
|---|---|---|
oxia-db | oxia | affected < 0.16.2 |
Weaknesses (CWE)
References
https://github.com/oxia-db/oxia/security/advisories/GHSA-7jrq-q4pq-rhm6
x_refsource_CONFIRM
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now