OpenBao is an open source identity-based secrets management system. OpenBao's namespaces provide multi-tenant separation. Prior to version 2.5.3, a tenant who leaks token accessors can have their token revoked or renewed by a privileged administrator in another tenant. This is addressed in v2.5.3.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XOpenbao
APPOpenbao< 2.5.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
Related vulnerabilities
CVE-2026-33758CRITICAL9.4PL ✓ten sam produkt
XSS w OpenBao — kradzież tokenu Web UI przez parametr error_description
CVE-2026-33757CRITICAL9.6PL ✓ten sam produkt
OpenBao: zdalne phishing przez JWT/OIDC bez potwierdzenia logowania
CVE-2025-54997CRITICAL9.1PL ✓ten sam produkt
OpenBao: ominięcie restrykcji przez subsystem audytu — RCE i dostęp sieciowy
CVE-2025-64761HIGH7.5ten sam produkt
OpenBao is an open source identity-based secrets management system. Prior to version 2.4.4, a privileged opera...
CVE-2025-59043HIGH7.5ten sam produkt
OpenBao is an open source identity-based secrets management system. In OpenBao versions prior to 2.4.1, JSON o...