CVE-2026-33757Session Fixation in Openbao Openbao

CWE-384Session Fixation6 documents5 sources
Severity
8.3HIGHNVD
EPSS
0.1%
top 79.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Openbao OpenbaoOpenbao
Timeline
PublishedMar 27

Description

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to start an authentication request and perform "remote phishing" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the `direct` mode calls back directly to the API an

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:LExploitability: 2.8 | Impact: 5.5

Affected Packages2 packages

NVDopenbao/openbao< 2.5.2
Gogithub.com/openbao_openbao< 0.0.0-20260325142553-e32103951925

Patches

Patch: github.com

🔴Vulnerability Details

3
GHSA
OpenBao lacks user confirmation for OIDC direct callback mode2026-03-26
OSV
OpenBao lacks user confirmation for OIDC direct callback mode2026-03-26
OSV
OpenBao lacks user confirmation for OIDC direct callback mode in github.com/openbao/openbao2026-03-26

📋Vendor Advisories

1
Red Hat
OpenBao: lack of user confirmation for OpenBao OIDC direct callback mode2026-03-27

🕵️Threat Intelligence

1
Wiz
CVE-2026-33757 Impact, Exploitability, and Mitigation Steps | Wiz