Vulnerability-Lookup

Search criteria

Vendor

Product

Assigner

Sources

Sort by

Order

Apply ordering (override relevance)

Related vulnerabilities

GHSA-Q8CJ-789H-VG24

Vulnerability from github – Published: 2026-05-28 17:52 – Updated: 2026-05-28 17:52

Summary

OpenBao's Inline Auth Incorrectly Redacted Headers

Details

Impact

OpenBao's inline auth functionality incorrectly redacted audit log entries, resulting in non-auth headers being removed and auth-related headers being retained in cleartext. This requires an attacker to compromise access to the audit device. Operators should review leaked source authentication material and rotate it as appropriate.

Patches

This is fixed in OpenBao v2.5.4.

Resources

https://github.com/openbao/openbao/issues/3074

Severity

5.4 (Medium)


                  
                    CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.5.3"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openbao/openbao"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46358"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-28T17:52:43Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nOpenBao\u0027s inline auth functionality incorrectly redacted audit log entries, resulting in non-auth headers being removed and auth-related headers being retained in cleartext. This requires an attacker to compromise access to the audit device. Operators should review leaked source authentication material and rotate it as appropriate.\n\n### Patches\n\nThis is fixed in OpenBao v2.5.4.\n\n### Resources\n\nhttps://github.com/openbao/openbao/issues/3074",
  "id": "GHSA-q8cj-789h-vg24",
  "modified": "2026-05-28T17:52:43Z",
  "published": "2026-05-28T17:52:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/security/advisories/GHSA-q8cj-789h-vg24"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/issues/3074"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/pull/3076"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/commit/131c6966af4dfb4e1906703436eecdb8f2a3e9df"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openbao/openbao"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/releases/tag/v2.5.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenBao\u0027s Inline Auth Incorrectly Redacted Headers"
}