Low severity2.7NVD Advisory· Published Apr 21, 2026· Updated Apr 24, 2026
CVE-2026-40264
CVE-2026-40264
Description
OpenBao is an open source identity-based secrets management system. OpenBao's namespaces provide multi-tenant separation. Prior to version 2.5.3, a tenant who leaks token accessors can have their token revoked or renewed by a privileged administrator in another tenant. This is addressed in v2.5.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/openbao/openbaoGo | < 0.0.0-20260420162526-f58111d2ca54 | 0.0.0-20260420162526-f58111d2ca54 |
Affected products
5- osv-coords4 versionspkg:apk/chainguard/openbao-compatpkg:apk/wolfi/openbao-compatpkg:golang/github.com/openbao/openbaopkg:rpm/opensuse/openbao&distro=openSUSE%20Tumbleweed
< 2.5.3-r0+ 3 more
- (no CPE)range: < 2.5.3-r0
- (no CPE)range: < 2.5.3-r0
- (no CPE)range: < 0.0.0-20260420162526-f58111d2ca54
- (no CPE)range: < 2.5.3-1.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-p49j-v9wc-wg57ghsaADVISORY
- github.com/openbao/openbao/security/advisories/GHSA-p49j-v9wc-wg57nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-40264ghsaADVISORY
- github.com/openbao/openbao/commit/059cc5950303688335d5c8ab9af8e453795d693aghsaWEB
- github.com/openbao/openbao/pull/2934ghsaWEB
- github.com/openbao/openbao/releases/tag/v2.5.3ghsaWEB
News mentions
0No linked articles in our index yet.