Critical severityNVD Advisory· Published Mar 27, 2026· Updated Mar 27, 2026
OpenBao has Reflected XSS in its OIDC authentication error message
CVE-2026-33758
Description
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with callback_mode=direct configured are vulnerable to XSS via the error_description parameter on the page for a failed authentication. This allows an attacker access to the token used in the Web UI by a victim. The error_description parameter has been replaced with a static error message in v2.5.2. The vulnerability can be mitigated by removing any roles with callback_mode set to direct.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/openbao/openbaoGo | < 0.0.0-20260325133417-6e2b2dd84f0e | 0.0.0-20260325133417-6e2b2dd84f0e |
Affected products
4- ghsa-coords3 versionspkg:golang/github.com/openbao/openbaopkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/openbao&distro=openSUSE%20Tumbleweed
< 0.0.0-20260325133417-6e2b2dd84f0e+ 2 more
- (no CPE)range: < 0.0.0-20260325133417-6e2b2dd84f0e
- (no CPE)range: < 0.0.20260326T203309-150000.1.155.2
- (no CPE)range: < 2.5.2-1.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-cpj3-3r2f-xj59ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33758ghsaADVISORY
- github.com/openbao/openbao/commit/6e2b2dd84f0e47cebc90d6e79609dd5274732662ghsax_refsource_MISCWEB
- github.com/openbao/openbao/pull/2709ghsax_refsource_MISCWEB
- github.com/openbao/openbao/releases/tag/v2.5.2ghsax_refsource_MISCWEB
- github.com/openbao/openbao/security/advisories/GHSA-cpj3-3r2f-xj59ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.