PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-33758 openbao CVE debrief

OpenBao, an open-source identity-based secrets management system, has a critical vulnerability tracked as CVE-2026-33758. This vulnerability affects OpenBao installations with an OIDC/JWT authentication method enabled and a role configured with `callback_mode=direct`. The vulnerability allows an attacker to exploit the `error_description` parameter on the page for a failed authentication, potentially gaining access to the token used in the Web UI by a victim. The issue has been addressed in OpenBao version 2.5.2, where the `error_description` parameter has been replaced with a static error message. As a mitigation, removing any roles with `callback_mode` set to `direct` can help prevent exploitation.

Vendor
openbao
Product
Unknown
CVSS
CRITICAL 9.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-27
Original CVE updated
2026-06-30
Advisory published
2026-03-27
Advisory updated
2026-06-30

Who should care

Security teams and administrators responsible for OpenBao installations should be aware of this critical vulnerability. Specifically, those with OpenBao versions prior to 2.5.2 and with OIDC/JWT authentication method enabled and roles configured with `callback_mode=direct` are at risk. Immediate attention is required to upgrade to version 2.5.2 or apply the recommended mitigation.

Technical summary

CVE-2026-33758 is a critical vulnerability in OpenBao, a system for identity-based secrets management. The vulnerability arises from a cross-site scripting (XSS) issue via the `error_description` parameter during failed OIDC/JWT authentication attempts. This issue affects OpenBao installations with specific configurations: when an OIDC/JWT authentication method is enabled and at least one role is set with `callback_mode=direct`. Successful exploitation could allow an attacker to access the token used by a victim in the Web UI. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 9.4, indicating a critical severity level. OpenBao has addressed this vulnerability in version 2.5.2 by replacing the `error_description` parameter with a static error message.

Defensive priority

This vulnerability has a CVSS score of 9.4, indicating a critical severity level. Immediate action is required to prevent potential exploitation.

Recommended defensive actions

  • Upgrade OpenBao to version 2.5.2 or later.
  • Remove or modify roles with `callback_mode` set to `direct` to prevent exploitation.
  • Review and update configurations for OIDC/JWT authentication methods.
  • Monitor OpenBao installations for any suspicious activity related to authentication.
  • Apply additional security measures such as enhanced monitoring and incident response readiness.

Evidence notes

The CVE-2026-33758 vulnerability details were obtained from the OpenBao security advisory and NVD databases. The vulnerability has been confirmed to affect OpenBao versions prior to 2.5.2. Limited information is available on potential exploits or attacks in the wild.

Official resources

This article is AI-assisted and based on the supplied source corpus.