Vulnerability-Lookup

CVE-2026-33757 (GCVE-0-2026-33757)

Vulnerability from cvelistv5 – Published: 2026-03-27 14:10 – Updated: 2026-04-01 03:55

Title

OpenBao lacks user confirmation for OIDC direct callback mode

Summary

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to start an authentication request and perform "remote phishing" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the `direct` mode calls back directly to the API and allows an attacker to poll for an OpenBao token until it is issued. Version 2.5.2 includes an additional confirmation screen for `direct` type logins that requires manual user interaction in order to finish the authentication. This issue can be worked around either by removing any roles with `callback_mode=direct` or enforcing confirmation for every session on the token issuer side for the Client ID used by OpenBao.

Severity ?

9.6 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

CWE

CWE-384 - Session Fixation

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	openbao	openbao	Affected: < 2.5.2

OPENSUSE-SU-2026:10438-1

Vulnerability from csaf_opensuse - Published: 2026-03-26 00:00 - Updated: 2026-03-26 00:00

Summary

openbao-2.5.2-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: openbao-2.5.2-1.1 on GA media

Description of the patch: These are all security issues fixed in the openbao-2.5.2-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10438

CVE-2026-33757

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-33758

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

Category

	https://www.suse.com/support/security/rating/	external
	https://ftp.suse.com/pub/projects/security/csaf/o…	self
	https://www.suse.com/security/cve/CVE-2026-33757/	self
	https://www.suse.com/security/cve/CVE-2026-33758/	self
	https://www.suse.com/security/cve/CVE-2026-33757	external
	https://www.suse.com/security/cve/CVE-2026-33758	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "openbao-2.5.2-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the openbao-2.5.2-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10438",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10438-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-33757 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-33757/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-33758 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-33758/"
      }
    ],
    "title": "openbao-2.5.2-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-03-26T00:00:00Z",
      "generator": {
        "date": "2026-03-26T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10438-1",
      "initial_release_date": "2026-03-26T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-03-26T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openbao-2.5.2-1.1.aarch64",
                "product": {
                  "name": "openbao-2.5.2-1.1.aarch64",
                  "product_id": "openbao-2.5.2-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "openbao-agent-2.5.2-1.1.aarch64",
                "product": {
                  "name": "openbao-agent-2.5.2-1.1.aarch64",
                  "product_id": "openbao-agent-2.5.2-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "openbao-cassandra-database-plugin-2.5.2-1.1.aarch64",
                "product": {
                  "name": "openbao-cassandra-database-plugin-2.5.2-1.1.aarch64",
                  "product_id": "openbao-cassandra-database-plugin-2.5.2-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "openbao-influxdb-database-plugin-2.5.2-1.1.aarch64",
                "product": {
                  "name": "openbao-influxdb-database-plugin-2.5.2-1.1.aarch64",
                  "product_id": "openbao-influxdb-database-plugin-2.5.2-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "openbao-mysql-database-plugin-2.5.2-1.1.aarch64",
                "product": {
                  "name": "openbao-mysql-database-plugin-2.5.2-1.1.aarch64",
                  "product_id": "openbao-mysql-database-plugin-2.5.2-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "openbao-mysql-legacy-database-plugin-2.5.2-1.1.aarch64",
                "product": {
                  "name": "openbao-mysql-legacy-database-plugin-2.5.2-1.1.aarch64",
                  "product_id": "openbao-mysql-legacy-database-plugin-2.5.2-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "openbao-postgresql-database-plugin-2.5.2-1.1.aarch64",
                "product": {
                  "name": "openbao-postgresql-database-plugin-2.5.2-1.1.aarch64",
                  "product_id": "openbao-postgresql-database-plugin-2.5.2-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "openbao-server-2.5.2-1.1.aarch64",
                "product": {
                  "name": "openbao-server-2.5.2-1.1.aarch64",
                  "product_id": "openbao-server-2.5.2-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openbao-2.5.2-1.1.ppc64le",
                "product": {
                  "name": "openbao-2.5.2-1.1.ppc64le",
                  "product_id": "openbao-2.5.2-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "openbao-agent-2.5.2-1.1.ppc64le",
                "product": {
                  "name": "openbao-agent-2.5.2-1.1.ppc64le",
                  "product_id": "openbao-agent-2.5.2-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "openbao-cassandra-database-plugin-2.5.2-1.1.ppc64le",
                "product": {
                  "name": "openbao-cassandra-database-plugin-2.5.2-1.1.ppc64le",
                  "product_id": "openbao-cassandra-database-plugin-2.5.2-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "openbao-influxdb-database-plugin-2.5.2-1.1.ppc64le",
                "product": {
                  "name": "openbao-influxdb-database-plugin-2.5.2-1.1.ppc64le",
                  "product_id": "openbao-influxdb-database-plugin-2.5.2-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "openbao-mysql-database-plugin-2.5.2-1.1.ppc64le",
                "product": {
                  "name": "openbao-mysql-database-plugin-2.5.2-1.1.ppc64le",
                  "product_id": "openbao-mysql-database-plugin-2.5.2-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "openbao-mysql-legacy-database-plugin-2.5.2-1.1.ppc64le",
                "product": {
                  "name": "openbao-mysql-legacy-database-plugin-2.5.2-1.1.ppc64le",
                  "product_id": "openbao-mysql-legacy-database-plugin-2.5.2-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "openbao-postgresql-database-plugin-2.5.2-1.1.ppc64le",
                "product": {
                  "name": "openbao-postgresql-database-plugin-2.5.2-1.1.ppc64le",
                  "product_id": "openbao-postgresql-database-plugin-2.5.2-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "openbao-server-2.5.2-1.1.ppc64le",
                "product": {
                  "name": "openbao-server-2.5.2-1.1.ppc64le",
                  "product_id": "openbao-server-2.5.2-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openbao-2.5.2-1.1.s390x",
                "product": {
                  "name": "openbao-2.5.2-1.1.s390x",
                  "product_id": "openbao-2.5.2-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "openbao-agent-2.5.2-1.1.s390x",
                "product": {
                  "name": "openbao-agent-2.5.2-1.1.s390x",
                  "product_id": "openbao-agent-2.5.2-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "openbao-cassandra-database-plugin-2.5.2-1.1.s390x",
                "product": {
                  "name": "openbao-cassandra-database-plugin-2.5.2-1.1.s390x",
                  "product_id": "openbao-cassandra-database-plugin-2.5.2-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "openbao-influxdb-database-plugin-2.5.2-1.1.s390x",
                "product": {
                  "name": "openbao-influxdb-database-plugin-2.5.2-1.1.s390x",
                  "product_id": "openbao-influxdb-database-plugin-2.5.2-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "openbao-mysql-database-plugin-2.5.2-1.1.s390x",
                "product": {
                  "name": "openbao-mysql-database-plugin-2.5.2-1.1.s390x",
                  "product_id": "openbao-mysql-database-plugin-2.5.2-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "openbao-mysql-legacy-database-plugin-2.5.2-1.1.s390x",
                "product": {
                  "name": "openbao-mysql-legacy-database-plugin-2.5.2-1.1.s390x",
                  "product_id": "openbao-mysql-legacy-database-plugin-2.5.2-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "openbao-postgresql-database-plugin-2.5.2-1.1.s390x",
                "product": {
                  "name": "openbao-postgresql-database-plugin-2.5.2-1.1.s390x",
                  "product_id": "openbao-postgresql-database-plugin-2.5.2-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "openbao-server-2.5.2-1.1.s390x",
                "product": {
                  "name": "openbao-server-2.5.2-1.1.s390x",
                  "product_id": "openbao-server-2.5.2-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openbao-2.5.2-1.1.x86_64",
                "product": {
                  "name": "openbao-2.5.2-1.1.x86_64",
                  "product_id": "openbao-2.5.2-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "openbao-agent-2.5.2-1.1.x86_64",
                "product": {
                  "name": "openbao-agent-2.5.2-1.1.x86_64",
                  "product_id": "openbao-agent-2.5.2-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "openbao-cassandra-database-plugin-2.5.2-1.1.x86_64",
                "product": {
                  "name": "openbao-cassandra-database-plugin-2.5.2-1.1.x86_64",
                  "product_id": "openbao-cassandra-database-plugin-2.5.2-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "openbao-influxdb-database-plugin-2.5.2-1.1.x86_64",
                "product": {
                  "name": "openbao-influxdb-database-plugin-2.5.2-1.1.x86_64",
                  "product_id": "openbao-influxdb-database-plugin-2.5.2-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "openbao-mysql-database-plugin-2.5.2-1.1.x86_64",
                "product": {
                  "name": "openbao-mysql-database-plugin-2.5.2-1.1.x86_64",
                  "product_id": "openbao-mysql-database-plugin-2.5.2-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "openbao-mysql-legacy-database-plugin-2.5.2-1.1.x86_64",
                "product": {
                  "name": "openbao-mysql-legacy-database-plugin-2.5.2-1.1.x86_64",
                  "product_id": "openbao-mysql-legacy-database-plugin-2.5.2-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "openbao-postgresql-database-plugin-2.5.2-1.1.x86_64",
                "product": {
                  "name": "openbao-postgresql-database-plugin-2.5.2-1.1.x86_64",
                  "product_id": "openbao-postgresql-database-plugin-2.5.2-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "openbao-server-2.5.2-1.1.x86_64",
                "product": {
                  "name": "openbao-server-2.5.2-1.1.x86_64",
                  "product_id": "openbao-server-2.5.2-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-2.5.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-2.5.2-1.1.aarch64"
        },
        "product_reference": "openbao-2.5.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-2.5.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-2.5.2-1.1.ppc64le"
        },
        "product_reference": "openbao-2.5.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-2.5.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-2.5.2-1.1.s390x"
        },
        "product_reference": "openbao-2.5.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-2.5.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-2.5.2-1.1.x86_64"
        },
        "product_reference": "openbao-2.5.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-agent-2.5.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-agent-2.5.2-1.1.aarch64"
        },
        "product_reference": "openbao-agent-2.5.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-agent-2.5.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-agent-2.5.2-1.1.ppc64le"
        },
        "product_reference": "openbao-agent-2.5.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-agent-2.5.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-agent-2.5.2-1.1.s390x"
        },
        "product_reference": "openbao-agent-2.5.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-agent-2.5.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-agent-2.5.2-1.1.x86_64"
        },
        "product_reference": "openbao-agent-2.5.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-cassandra-database-plugin-2.5.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-cassandra-database-plugin-2.5.2-1.1.aarch64"
        },
        "product_reference": "openbao-cassandra-database-plugin-2.5.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-cassandra-database-plugin-2.5.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-cassandra-database-plugin-2.5.2-1.1.ppc64le"
        },
        "product_reference": "openbao-cassandra-database-plugin-2.5.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-cassandra-database-plugin-2.5.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-cassandra-database-plugin-2.5.2-1.1.s390x"
        },
        "product_reference": "openbao-cassandra-database-plugin-2.5.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-cassandra-database-plugin-2.5.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-cassandra-database-plugin-2.5.2-1.1.x86_64"
        },
        "product_reference": "openbao-cassandra-database-plugin-2.5.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-influxdb-database-plugin-2.5.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-influxdb-database-plugin-2.5.2-1.1.aarch64"
        },
        "product_reference": "openbao-influxdb-database-plugin-2.5.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-influxdb-database-plugin-2.5.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-influxdb-database-plugin-2.5.2-1.1.ppc64le"
        },
        "product_reference": "openbao-influxdb-database-plugin-2.5.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-influxdb-database-plugin-2.5.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-influxdb-database-plugin-2.5.2-1.1.s390x"
        },
        "product_reference": "openbao-influxdb-database-plugin-2.5.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-influxdb-database-plugin-2.5.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-influxdb-database-plugin-2.5.2-1.1.x86_64"
        },
        "product_reference": "openbao-influxdb-database-plugin-2.5.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-mysql-database-plugin-2.5.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-mysql-database-plugin-2.5.2-1.1.aarch64"
        },
        "product_reference": "openbao-mysql-database-plugin-2.5.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-mysql-database-plugin-2.5.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-mysql-database-plugin-2.5.2-1.1.ppc64le"
        },
        "product_reference": "openbao-mysql-database-plugin-2.5.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-mysql-database-plugin-2.5.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-mysql-database-plugin-2.5.2-1.1.s390x"
        },
        "product_reference": "openbao-mysql-database-plugin-2.5.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-mysql-database-plugin-2.5.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-mysql-database-plugin-2.5.2-1.1.x86_64"
        },
        "product_reference": "openbao-mysql-database-plugin-2.5.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-mysql-legacy-database-plugin-2.5.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-mysql-legacy-database-plugin-2.5.2-1.1.aarch64"
        },
        "product_reference": "openbao-mysql-legacy-database-plugin-2.5.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-mysql-legacy-database-plugin-2.5.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-mysql-legacy-database-plugin-2.5.2-1.1.ppc64le"
        },
        "product_reference": "openbao-mysql-legacy-database-plugin-2.5.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-mysql-legacy-database-plugin-2.5.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-mysql-legacy-database-plugin-2.5.2-1.1.s390x"
        },
        "product_reference": "openbao-mysql-legacy-database-plugin-2.5.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-mysql-legacy-database-plugin-2.5.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-mysql-legacy-database-plugin-2.5.2-1.1.x86_64"
        },
        "product_reference": "openbao-mysql-legacy-database-plugin-2.5.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-postgresql-database-plugin-2.5.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-postgresql-database-plugin-2.5.2-1.1.aarch64"
        },
        "product_reference": "openbao-postgresql-database-plugin-2.5.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-postgresql-database-plugin-2.5.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-postgresql-database-plugin-2.5.2-1.1.ppc64le"
        },
        "product_reference": "openbao-postgresql-database-plugin-2.5.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-postgresql-database-plugin-2.5.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-postgresql-database-plugin-2.5.2-1.1.s390x"
        },
        "product_reference": "openbao-postgresql-database-plugin-2.5.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-postgresql-database-plugin-2.5.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-postgresql-database-plugin-2.5.2-1.1.x86_64"
        },
        "product_reference": "openbao-postgresql-database-plugin-2.5.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-server-2.5.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-server-2.5.2-1.1.aarch64"
        },
        "product_reference": "openbao-server-2.5.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-server-2.5.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-server-2.5.2-1.1.ppc64le"
        },
        "product_reference": "openbao-server-2.5.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-server-2.5.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-server-2.5.2-1.1.s390x"
        },
        "product_reference": "openbao-server-2.5.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openbao-server-2.5.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:openbao-server-2.5.2-1.1.x86_64"
        },
        "product_reference": "openbao-server-2.5.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-33757",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-33757"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "unknown",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:openbao-2.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:openbao-2.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:openbao-2.5.2-1.1.s390x",
          "openSUSE Tumbleweed:openbao-2.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:openbao-agent-2.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:openbao-agent-2.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:openbao-agent-2.5.2-1.1.s390x",
          "openSUSE Tumbleweed:openbao-agent-2.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:openbao-cassandra-database-plugin-2.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:openbao-cassandra-database-plugin-2.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:openbao-cassandra-database-plugin-2.5.2-1.1.s390x",
          "openSUSE Tumbleweed:openbao-cassandra-database-plugin-2.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:openbao-influxdb-database-plugin-2.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:openbao-influxdb-database-plugin-2.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:openbao-influxdb-database-plugin-2.5.2-1.1.s390x",
          "openSUSE Tumbleweed:openbao-influxdb-database-plugin-2.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:openbao-mysql-database-plugin-2.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:openbao-mysql-database-plugin-2.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:openbao-mysql-database-plugin-2.5.2-1.1.s390x",
          "openSUSE Tumbleweed:openbao-mysql-database-plugin-2.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:openbao-mysql-legacy-database-plugin-2.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:openbao-mysql-legacy-database-plugin-2.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:openbao-mysql-legacy-database-plugin-2.5.2-1.1.s390x",
          "openSUSE Tumbleweed:openbao-mysql-legacy-database-plugin-2.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:openbao-postgresql-database-plugin-2.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:openbao-postgresql-database-plugin-2.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:openbao-postgresql-database-plugin-2.5.2-1.1.s390x",
          "openSUSE Tumbleweed:openbao-postgresql-database-plugin-2.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:openbao-server-2.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:openbao-server-2.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:openbao-server-2.5.2-1.1.s390x",
          "openSUSE Tumbleweed:openbao-server-2.5.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-33757",
          "url": "https://www.suse.com/security/cve/CVE-2026-33757"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:openbao-2.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:openbao-2.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:openbao-2.5.2-1.1.s390x",
            "openSUSE Tumbleweed:openbao-2.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:openbao-agent-2.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:openbao-agent-2.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:openbao-agent-2.5.2-1.1.s390x",
            "openSUSE Tumbleweed:openbao-agent-2.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:openbao-cassandra-database-plugin-2.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:openbao-cassandra-database-plugin-2.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:openbao-cassandra-database-plugin-2.5.2-1.1.s390x",
            "openSUSE Tumbleweed:openbao-cassandra-database-plugin-2.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:openbao-influxdb-database-plugin-2.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:openbao-influxdb-database-plugin-2.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:openbao-influxdb-database-plugin-2.5.2-1.1.s390x",
            "openSUSE Tumbleweed:openbao-influxdb-database-plugin-2.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:openbao-mysql-database-plugin-2.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:openbao-mysql-database-plugin-2.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:openbao-mysql-database-plugin-2.5.2-1.1.s390x",
            "openSUSE Tumbleweed:openbao-mysql-database-plugin-2.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:openbao-mysql-legacy-database-plugin-2.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:openbao-mysql-legacy-database-plugin-2.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:openbao-mysql-legacy-database-plugin-2.5.2-1.1.s390x",
            "openSUSE Tumbleweed:openbao-mysql-legacy-database-plugin-2.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:openbao-postgresql-database-plugin-2.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:openbao-postgresql-database-plugin-2.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:openbao-postgresql-database-plugin-2.5.2-1.1.s390x",
            "openSUSE Tumbleweed:openbao-postgresql-database-plugin-2.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:openbao-server-2.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:openbao-server-2.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:openbao-server-2.5.2-1.1.s390x",
            "openSUSE Tumbleweed:openbao-server-2.5.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-26T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-33757"
    },
    {
      "cve": "CVE-2026-33758",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-33758"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "unknown",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:openbao-2.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:openbao-2.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:openbao-2.5.2-1.1.s390x",
          "openSUSE Tumbleweed:openbao-2.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:openbao-agent-2.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:openbao-agent-2.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:openbao-agent-2.5.2-1.1.s390x",
          "openSUSE Tumbleweed:openbao-agent-2.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:openbao-cassandra-database-plugin-2.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:openbao-cassandra-database-plugin-2.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:openbao-cassandra-database-plugin-2.5.2-1.1.s390x",
          "openSUSE Tumbleweed:openbao-cassandra-database-plugin-2.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:openbao-influxdb-database-plugin-2.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:openbao-influxdb-database-plugin-2.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:openbao-influxdb-database-plugin-2.5.2-1.1.s390x",
          "openSUSE Tumbleweed:openbao-influxdb-database-plugin-2.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:openbao-mysql-database-plugin-2.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:openbao-mysql-database-plugin-2.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:openbao-mysql-database-plugin-2.5.2-1.1.s390x",
          "openSUSE Tumbleweed:openbao-mysql-database-plugin-2.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:openbao-mysql-legacy-database-plugin-2.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:openbao-mysql-legacy-database-plugin-2.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:openbao-mysql-legacy-database-plugin-2.5.2-1.1.s390x",
          "openSUSE Tumbleweed:openbao-mysql-legacy-database-plugin-2.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:openbao-postgresql-database-plugin-2.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:openbao-postgresql-database-plugin-2.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:openbao-postgresql-database-plugin-2.5.2-1.1.s390x",
          "openSUSE Tumbleweed:openbao-postgresql-database-plugin-2.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:openbao-server-2.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:openbao-server-2.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:openbao-server-2.5.2-1.1.s390x",
          "openSUSE Tumbleweed:openbao-server-2.5.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-33758",
          "url": "https://www.suse.com/security/cve/CVE-2026-33758"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:openbao-2.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:openbao-2.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:openbao-2.5.2-1.1.s390x",
            "openSUSE Tumbleweed:openbao-2.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:openbao-agent-2.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:openbao-agent-2.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:openbao-agent-2.5.2-1.1.s390x",
            "openSUSE Tumbleweed:openbao-agent-2.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:openbao-cassandra-database-plugin-2.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:openbao-cassandra-database-plugin-2.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:openbao-cassandra-database-plugin-2.5.2-1.1.s390x",
            "openSUSE Tumbleweed:openbao-cassandra-database-plugin-2.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:openbao-influxdb-database-plugin-2.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:openbao-influxdb-database-plugin-2.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:openbao-influxdb-database-plugin-2.5.2-1.1.s390x",
            "openSUSE Tumbleweed:openbao-influxdb-database-plugin-2.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:openbao-mysql-database-plugin-2.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:openbao-mysql-database-plugin-2.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:openbao-mysql-database-plugin-2.5.2-1.1.s390x",
            "openSUSE Tumbleweed:openbao-mysql-database-plugin-2.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:openbao-mysql-legacy-database-plugin-2.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:openbao-mysql-legacy-database-plugin-2.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:openbao-mysql-legacy-database-plugin-2.5.2-1.1.s390x",
            "openSUSE Tumbleweed:openbao-mysql-legacy-database-plugin-2.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:openbao-postgresql-database-plugin-2.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:openbao-postgresql-database-plugin-2.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:openbao-postgresql-database-plugin-2.5.2-1.1.s390x",
            "openSUSE Tumbleweed:openbao-postgresql-database-plugin-2.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:openbao-server-2.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:openbao-server-2.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:openbao-server-2.5.2-1.1.s390x",
            "openSUSE Tumbleweed:openbao-server-2.5.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-26T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-33758"
    }
  ]
}

GHSA-7Q7G-X6VG-XPC3

Vulnerability from github – Published: 2026-03-26 18:32 – Updated: 2026-03-27 21:31

Summary

OpenBao lacks user confirmation for OIDC direct callback mode

Details

Impact

OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with callback_mode set to direct.

This allows an attacker to start an authentication request and perform "remote phishing" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the direct mode calls back directly to the API and allows an attacker to poll for an OpenBao token until it is issued.

Patches

Version 2.5.2 includes an additional confirmation screen for direct type logins that requires manual user interaction in order to finish the authentication.

Workarounds

This issue can be worked around either by removing any roles with callback_mode=direct or enforcing confirmation for every session on the token issuer side for the Client ID used by OpenBao.

Severity ?

9.6 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openbao/openbao"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260325142553-e32103951925"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33757"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-384"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T18:32:54Z",
    "nvd_published_at": "2026-03-27T15:16:57Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nOpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`.\n\nThis allows an attacker to start an authentication request and perform \"remote phishing\" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the  `direct` mode calls back directly to the API and allows an attacker to poll for an OpenBao token until it is issued.\n\n### Patches\nVersion 2.5.2 includes an additional confirmation screen for `direct` type logins that requires manual user interaction in order to finish the authentication.\n\n### Workarounds\nThis issue can be worked around either by removing any roles with `callback_mode=direct` or enforcing confirmation for every session on the token issuer side for the Client ID used by OpenBao.",
  "id": "GHSA-7q7g-x6vg-xpc3",
  "modified": "2026-03-27T21:31:24Z",
  "published": "2026-03-26T18:32:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33757"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/commit/e32103951925723e9787e33886ab6b6ec20f4964"
    },
    {
      "type": "WEB",
      "url": "https://datatracker.ietf.org/doc/html/rfc8628#section-5.4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openbao/openbao"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenBao lacks user confirmation for OIDC direct callback mode"
}

FKIE_CVE-2026-33757

Vulnerability from fkie_nvd - Published: 2026-03-27 15:16 - Updated: 2026-03-30 17:23

Severity ?

9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
8.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L

Summary

References

URL	Tags
security-advisories@github.com	https://datatracker.ietf.org/doc/html/rfc8628#section-5.4	Technical Description
security-advisories@github.com	https://github.com/openbao/openbao/commit/e32103951925723e9787e33886ab6b6ec20f4964	Patch
security-advisories@github.com	https://github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3	Vendor Advisory

Impacted products

	Vendor	Product	Version
	openbao	openbao	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F1489D2B-6994-46B2-8550-256B9EFCFD48",
              "versionEndExcluding": "2.5.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to start an authentication request and perform \"remote phishing\" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the  `direct` mode calls back directly to the API and allows an attacker to poll for an OpenBao token until it is issued. Version 2.5.2 includes an additional confirmation screen for `direct` type logins that requires manual user interaction in order to finish the authentication. This issue can be worked around either by removing any roles with `callback_mode=direct` or enforcing confirmation for every session on the token issuer side for the Client ID used by OpenBao."
    }
  ],
  "id": "CVE-2026-33757",
  "lastModified": "2026-03-30T17:23:24.993",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 9.6,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 8.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.5,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-03-27T15:16:57.690",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Technical Description"
      ],
      "url": "https://datatracker.ietf.org/doc/html/rfc8628#section-5.4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/openbao/openbao/commit/e32103951925723e9787e33886ab6b6ec20f4964"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-384"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

WID-SEC-W-2026-0864

Vulnerability from csaf_certbund - Published: 2026-03-25 23:00 - Updated: 2026-03-30 22:00

Summary

OpenBao: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: OpenBao ist eine Open-Source-Lösung für Secrets Management, die sensible Daten wie Passwörter, API-Schlüssel und Zertifikate sicher speichert und verwaltet.

Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in OpenBao ausnutzen, um Sicherheitsvorkehrungen zu umgehen oder einen Cross Site Scripting Angriff durchzuführen.

Betroffene Betriebssysteme: - Linux - UNIX

CVE-2026-33757

CVE-2026-33758

References

URL

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33757 (GCVE-0-2026-33757)

OPENSUSE-SU-2026:10438-1

GHSA-7Q7G-X6VG-XPC3

Impact

Patches

Workarounds

FKIE_CVE-2026-33757

WID-SEC-W-2026-0864

Tags

Sightings

Nomenclature