PatchSiren

openbao CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

LOW openbao CVE published 2026-05-14

CVE-2026-42186

OpenBao versions prior to 2.5.3 contain a logic flaw in namespace deletion that can leave orphaned data when initial deletion attempts fail. The vulnerability stems from improper cleanup during retry operations, potentially affecting outstanding leases and leaving unrelated storage entries intact after a namespace is marked deleted. This represents a data integrity concern rather than direct confidentiali [truncated]

CRITICAL openbao CVE published 2026-03-27

CVE-2026-33758

OpenBao, an open-source identity-based secrets management system, has a critical vulnerability tracked as CVE-2026-33758. This vulnerability affects OpenBao installations with an OIDC/JWT authentication method enabled and a role configured with `callback_mode=direct`. The vulnerability allows an attacker to exploit the `error_description` parameter on the page for a failed authentication, potentially gain [truncated]

CRITICAL openbao CVE published 2026-03-27

CVE-2026-33757

CVE-2026-33757 is a critical authentication bypass vulnerability in OpenBao, an open-source identity-based secrets management system. The vulnerability allows an attacker to perform remote phishing by having a victim visit a URL and automatically log in to the attacker's session. This is possible because OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_m [truncated]