Github.Com Openbao Openbao vulnerabilities

CVE-2026-33758 [CRITICAL] CWE-20 OpenBao has Reflected XSS in its OIDC authentication error message OpenBao has Reflected XSS in its OIDC authentication error message ### Impact OpenBao installations that have an OIDC/JWT authentication method enabled and a role with `callback_mode=direct` configured are vulnerable to XSS via the `error_description` parameter on the page for a failed authentication. This allows an attacker access to the token used in the Web UI by a victim. ### Patches The `

CVE-2026-33757 [CRITICAL] CWE-384 OpenBao lacks user confirmation for OIDC direct callback mode OpenBao lacks user confirmation for OIDC direct callback mode ### Impact OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to start an authentication request and perform "remote phishing" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on

CVE-2025-64761 [HIGH] CWE-266 OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation ### Impact Similar to HCSEC-2025-13 / CVE-2025-5999, a privileged operator could use the identity group subsystem to add a root policy to a group identity group, escalating their or another user's permissions in the system. Specifically this is an issue when: 1. An operator in the root namespace has access to `ide

CVE-2025-62513 [MEDIUM] CWE-532 OpenBao leaks HTTPRawBody in Audit Logs OpenBao leaks HTTPRawBody in Audit Logs ### Impact OpenBao's audit log experienced a regression wherein raw HTTP bodies used by few endpoints were not correctly redacted (HMAC'd). This impacted the following subsystems: - When using the ACME functionality of PKI, this would result in short-lived ACME verification challenge codes being leaked in the audit logs. - When using the OIDC issuer functionality of the identity sub

CVE-2025-62705 [MEDIUM] CWE-532 OpenBao and Vault Leak []byte Fields in Audit Logs OpenBao and Vault Leak []byte Fields in Audit Logs ### Impact OpenBao's audit log did not appropriately redact fields when relevant subsystems sent `[]byte` response parameters rather than `string`s. This includes, but is not limited to: - `sys/raw` with use of `encoding=base64`, all data would be emitted unredacted to the audit log. - Transit, when performing a signing operation with a derived Ed25519 key, wou

CVE-2025-59043 [HIGH] CWE-400 OpenBao has potential Denial of Service vulnerability when processing malicious unauthenticated JSON requests OpenBao has potential Denial of Service vulnerability when processing malicious unauthenticated JSON requests ### Summary JSON objects after decoding might use more memory than their serialized version. It is possible to tune a JSON to maximize the factor between serialized memory usage and deserialized memory usage (similar to a zip bomb). While reproduci

CVE-2025-54997 [CRITICAL] CWE-94 Privileged OpenBao Operator May Execute Code on the Underlying Host Privileged OpenBao Operator May Execute Code on the Underlying Host ### Impact Under certain threat models, OpenBao operators with privileged API access may not be system administrators and thus normally lack the ability to update binaries or execute code on the system. Additionally, privileged API operators should be unable to perform TCP connections to arbitrary hosts in the environment OpenB

CVE-2025-55001 [HIGH] CWE-156 OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias ### Impact OpenBao allows assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. When using the `username_as_alias=true` parameter in the LDAP auth method, the caller-supplied username is used verbatim without normalization, allowing an attacker to bypass alias-specific MFA requiremen

CVE-2025-54996 [HIGH] CWE-266 OpenBao Root Namespace Operator May Elevate Token Privileges OpenBao Root Namespace Operator May Elevate Token Privileges ### Impact Accounts with access to the highly-privileged identity entity system in the root namespace may increase their scope directly to the `root` policy. While the identity system always allowed adding arbitrary policies, which in turn could contain capability grants on arbitrary paths, the `root` policy is restricted to manual generation u

CVE-2025-54998 [MEDIUM] CWE-307 OpenBao Userpass and LDAP User Lockout Bypass OpenBao Userpass and LDAP User Lockout Bypass ### Impact Attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. This was caused by different aliasing between pre-flight and full login request user entity alias attributions. ### Patches OpenBao v2.3.2 will patch this issue. ### Workarounds Existing users may apply rate-limiting quotas on the authentication endpoi

CVE-2025-55003 [MEDIUM] CWE-307 OpenBao Login MFA Bypass of Rate Limiting and TOTP Token Reuse OpenBao Login MFA Bypass of Rate Limiting and TOTP Token Reuse ### Impact OpenBao's Login Multi-Factor Authentication (MFA) system allows enforcing MFA using Time-based One Time Password (TOTP). Due to normalization applied by the underlying TOTP library, codes were accepted which could contain whitespace; this whitespace could bypass internal rate limiting of the MFA method and allow reuse of existi

CVE-2025-55000 [MEDIUM] CWE-156 OpenBao TOTP Secrets Engine Code Reuse OpenBao TOTP Secrets Engine Code Reuse ### Impact OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library. ### Patches OpenBao v2.3.2 will patch this issue. In patching, codes which were not normalized (strictly N numeric digits) will now be rejected. This is a potentially breaking change. ### Workarounds

CVE-2025-54999 [LOW] CWE-203 OpenBao has a Timing Side-Channel in the Userpass Auth Method OpenBao has a Timing Side-Channel in the Userpass Auth Method ### Impact When using OpenBao's `userpass` auth method, user enumeration was possible due to timing difference between non-existent users and users with stored credentials. This is independent of whether the supplied credentials were valid for the given user. ### Patches OpenBao v2.3.2 will patch this issue. ### Workarounds Users may use a

CVE-2025-52894 [MEDIUM] CWE-20 OpenBao allows cancellation of root rekey and recovery rekey operations without authentication OpenBao allows cancellation of root rekey and recovery rekey operations without authentication ### Impact OpenBao and HashiCorp Vault allowed an attacker to perform unauthenticated, unaudited cancellation of root rekey and recovery rekey operations, effecting a denial of service. ### Patches In OpenBao v2.2.2 and later, manually setting the configuration option `disab

CVE-2024-8185 [HIGH] CWE-636 Hashicorp Vault vulnerable to denial of service through memory exhaustion Hashicorp Vault vulnerable to denial of service through memory exhaustion Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster join API endpoint. An attacker may send a large volume of requests to the endpoint which may cause Vault to consume excessive

CVE-2024-9180 [HIGH] CWE-266 Vault Community Edition privilege escalation vulnerability Vault Community Edition privilege escalation vulnerability A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their privileges to Vault’s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16

CVE-2024-7594 [HIGH] CWE-732 Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and default_user fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engine could be used to aut