Search criteria

Related vulnerabilities

GHSA-7J6W-VVW2-5F9C

Vulnerability from github – Published: 2026-05-28 18:55 – Updated: 2026-05-28 18:55
VLAI
Summary
OpenBao's Kerberos Auth Method Accumulates Unaccessible Tokens
Details

Impact

In OpenBao's Kerberos auth method on the GET handler, or when an Authorization: Negotiate header is supplied, the response is includes a logical.Auth object in addition to an error message. This results in tokens being created with only the default policy, default TTL, and no entity information, which are hidden by the returned error message. No access to these tokens by the caller occurs and the authentication token is not ever made accessible outside of sys/raw. At most this could cause storage usage.

Patches

This is fixed in OpenBao v2.5.4.

Workarounds

Users may set a rate limit quota to limit the creation of these paths. As the path is unauthenticated, it isn't possible to deny access to it.

Reporter

This was discovered by an anonymous reporter.

Severity
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.5.3"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openbao/openbao"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46405"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-28T18:55:23Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nIn OpenBao\u0027s Kerberos auth method on the `GET` handler, or when an `Authorization: Negotiate` header is supplied, the response is includes a `logical.Auth` object in addition to an error message. This results in tokens being created with only the default policy, default TTL, and no entity information, which are hidden by the returned error message. No access to these tokens by the caller occurs and the authentication token is not ever made accessible outside of `sys/raw`. At most this could cause storage usage.\n\n### Patches\n\nThis is fixed in OpenBao v2.5.4. \n\n### Workarounds\n\nUsers may set a rate limit quota to limit the creation of these paths. As the path is unauthenticated, it isn\u0027t possible to deny access to it.\n\n### Reporter\n\nThis was discovered by an anonymous reporter.",
  "id": "GHSA-7j6w-vvw2-5f9c",
  "modified": "2026-05-28T18:55:23Z",
  "published": "2026-05-28T18:55:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/security/advisories/GHSA-7j6w-vvw2-5f9c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/pull/3150"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/commit/0d82e0a5a3b6a93e8087bcbaf0b11326c12d4f4d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openbao/openbao"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/releases/tag/v2.5.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenBao\u0027s Kerberos Auth Method Accumulates Unaccessible Tokens"
}