VYPR
Critical severityNVD Advisory· Published Mar 27, 2026· Updated Mar 27, 2026

OpenBao has Reflected XSS in its OIDC authentication error message

CVE-2026-33758

Description

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with callback_mode=direct configured are vulnerable to XSS via the error_description parameter on the page for a failed authentication. This allows an attacker access to the token used in the Web UI by a victim. The error_description parameter has been replaced with a static error message in v2.5.2. The vulnerability can be mitigated by removing any roles with callback_mode set to direct.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/openbao/openbaoGo
< 0.0.0-20260325133417-6e2b2dd84f0e0.0.0-20260325133417-6e2b2dd84f0e

Affected products

4

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.