216.73.217.22

CVE-2026-33758

· Published 27/03/2026 15:16 · Modified 27/03/2026 15:16

Labels: CVE-2026-33758 2026-03-27CVE-2026-33758CWE-20[email protected]

Essential information

Published
27/03/2026 15:16
Modified
27/03/2026 15:16
Author
Creator
CVSS
9.4 CRITICAL (v3) 9.4 CRITICAL (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with `callback_mode=direct` configured are vulnerable to XSS via the `error_description` parameter on the page for a failed authentication. This allows an attacker access to the token used in the Web UI by a victim. The `error_description` parameter has been replaced with a static error message in v2.5.2. The vulnerability can be mitigated by removing any roles with `callback_mode` set to `direct`.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
openbao / openbao cpe:2.3:a:openbao:openbao:<2.5.2:*:*:*:*:*:*:*

References