PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-33757 openbao CVE debrief

CVE-2026-33757 is a critical authentication bypass vulnerability in OpenBao, an open-source identity-based secrets management system. The vulnerability allows an attacker to perform remote phishing by having a victim visit a URL and automatically log in to the attacker's session. This is possible because OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. An attacker can exploit this by starting an authentication request and polling for an OpenBao token until it is issued. The vulnerability has a CVSS score of 9.6 and is considered critical. OpenBao version 2.5.2 includes a patch that adds an additional confirmation screen for `direct` type logins, requiring manual user interaction to finish the authentication.

Vendor
openbao
Product
Unknown
CVSS
CRITICAL 9.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-27
Original CVE updated
2026-06-30
Advisory published
2026-03-27
Advisory updated
2026-06-30

Who should care

Organizations using OpenBao for secrets management should be aware of this critical vulnerability and take immediate action to patch or mitigate it. Specifically, OpenBao administrators and security teams should review their current configurations and ensure that all roles with `callback_mode=direct` are either removed or configured to require user confirmation. Additionally, defenders should monitor for potential phishing attempts and anomalous login activity.

Technical summary

The vulnerability exists in OpenBao's authentication mechanism, specifically when using JWT/OIDC with a role configured with `callback_mode=direct`. In this mode, OpenBao does not prompt the user for confirmation, allowing an attacker to perform a 'remote phishing' attack. The attacker can start an authentication request and poll for a token until it is issued, effectively bypassing authentication. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L, indicating a high impact on confidentiality, integrity, and availability. OpenBao version 2.5.2 addresses this issue by introducing an additional confirmation screen for `direct` type logins.

Defensive priority

This vulnerability should be prioritized for immediate attention due to its critical severity and potential for exploitation. Defenders should focus on patching or mitigating the vulnerability as soon as possible.

Recommended defensive actions

  • Review and remove any roles with `callback_mode=direct` in OpenBao configurations.
  • Enforce confirmation for every session on the token issuer side for the Client ID used by OpenBao.
  • Upgrade to OpenBao version 2.5.2 or later to apply the patch.
  • Monitor for anomalous login activity and potential phishing attempts.
  • Perform thorough inventory checks to identify potentially affected systems.
  • Implement compensating controls, such as additional authentication factors, where possible.

Evidence notes

The CVE-2026-33757 vulnerability is based on information from the OpenBao project and the National Vulnerability Database (NVD). The vulnerability was published on March 27, 2026, and last modified on June 30, 2026. The CVSS score of 9.6 indicates a critical severity level. The vulnerability is related to CWE-384, 'Session Fixation'.

Official resources

This article is AI-assisted and based on the supplied source corpus.