CVE-2026-33758

CRITICAL EPSS 17.2%
Published Mar 27, 20263mo ago · Modified Jun 17, 20262w ago
9.4 CVSS 4.0
Critical
Find Similar
Published Mar 27, 2026 3mo ago
Last Modified Jun 17, 2026 2w ago

Description

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with `callback_mode=direct` configured are vulnerable to XSS via the `error_description` parameter on the page for a failed authentication. This allows an attacker access to the token used in the Web UI by a victim. The `error_description` parameter has been replaced with a static error message in v2.5.2. The vulnerability can be mitigated by removing any roles with `callback_mode` set to `direct`.

CVSS Details

Base Score
9.4
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
17.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 3

CWE-116
CWE-20 Improper Input Validation Validation
CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
openbaoopenbao* <2.5.2

References 4

  • github.com https://github.com/openbao/openbao/commit/6e2b2dd84f0e47cebc90d6e79609dd5274732662
    Patch
  • github.com https://github.com/openbao/openbao/pull/2709
    Issue TrackingPatch
  • github.com https://github.com/openbao/openbao/releases/tag/v2.5.2
    ProductRelease Notes
  • github.com https://github.com/openbao/openbao/security/advisories/GHSA-cpj3-3r2f-xj59
    Vendor Advisory

Remediation

  • github.com https://github.com/openbao/openbao/commit/6e2b2dd84f0e47cebc90d6e79609dd5274732662
    Patch
  • github.com https://github.com/openbao/openbao/pull/2709
    Issue TrackingPatch