Low severity2.7NVD Advisory· Published Apr 21, 2026· Updated Apr 24, 2026
CVE-2026-40264
CVE-2026-40264
Description
OpenBao is an open source identity-based secrets management system. OpenBao's namespaces provide multi-tenant separation. Prior to version 2.5.3, a tenant who leaks token accessors can have their token revoked or renewed by a privileged administrator in another tenant. This is addressed in v2.5.3.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/openbao/openbaoGo | < 0.0.0-20260420162526-f58111d2ca54 | 0.0.0-20260420162526-f58111d2ca54 |
Affected products
1Patches
1059cc5950303Prevent cross-namespace token accessor use (#2934) (#2939)
3 files changed · +36 −10
changelog/2934.txt+3 −0 added@@ -0,0 +1,3 @@ +```release-note:security +auth/token: Prevent cross-namespace token renewal, revocation by accessor. GHSA-p49j-v9wc-wg57 / CVE-2026-40264. +```
vault/token_store.go+7 −10 modified@@ -2331,18 +2331,15 @@ func (ts *TokenStore) lookupByAccessor(ctx context.Context, id string, salted, t if err != nil { return nil, err } - if accessorNS != nil { - if accessorNS.ID != ns.ID { - ns = accessorNS - ctx = namespace.ContextWithNamespace(ctx, accessorNS) - } + if accessorNS != nil && accessorNS.ID != ns.ID { + return nil, fmt.Errorf("cannot lookup token in different namespace") } - } else { - // Any non-root-ns token should have an accessor and child - // namespaces cannot have custom IDs. If someone omits or tampers + } else if ns.ID != namespace.RootNamespaceID { + // Any non-root-ns token should have an accessor and child. + // + // Namespaces cannot have custom IDs. If someone omits or tampers // with it, the lookup in the root namespace simply won't work. - ns = namespace.RootNamespace - ctx = namespace.ContextWithNamespace(ctx, ns) + return nil, fmt.Errorf("cannot lookup token in different namespace") } lookupID, err = ts.SaltID(ctx, id)
vault/token_store_test.go+26 −0 modified@@ -782,6 +782,14 @@ func TestTokenStore_AccessorIndex(t *testing.T) { c, _, _ := TestCoreUnsealed(t) ts := c.tokenStore + ns1 := &namespace.Namespace{ + Path: "ns1", + } + ns2 := &namespace.Namespace{ + Path: "ns1/ns2", + } + TestCoreCreateNamespaces(t, c, ns1, ns2) + ent := &logical.TokenEntry{ Path: "test", Policies: []string{"dev", "ops"}, @@ -811,6 +819,24 @@ func TestTokenStore_AccessorIndex(t *testing.T) { t.Fatalf("bad: got\n%s\nexpected\n%s\n", aEntry.TokenID, ent.ID) } + // Verify we can't do cross-namespace token lookups. + aEntry, err = ts.lookupByAccessor(namespace.ContextWithNamespace(ctx, ns1), out.Accessor, false, false) + require.Error(t, err, "successfully looked up accessor: %v", out.Accessor) + require.Nil(t, aEntry) + + ent2 := *ent + ent2.ID = "" + ent2.NamespaceID = ns1.ID + testMakeTokenDirectly(t, ctx, ts, &ent2) + + aEntry, err = ts.lookupByAccessor(ctx, ent2.Accessor, false, false) + require.Error(t, err) + require.Nil(t, aEntry) + + aEntry, err = ts.lookupByAccessor(namespace.ContextWithNamespace(ctx, ns2), ent2.Accessor, false, false) + require.Error(t, err) + require.Nil(t, aEntry) + // Make sure a batch token doesn't get an accessor ent.Type = logical.TokenTypeBatch testMakeTokenDirectly(t, ctx, ts, ent)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-p49j-v9wc-wg57ghsaADVISORY
- github.com/openbao/openbao/security/advisories/GHSA-p49j-v9wc-wg57nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-40264ghsaADVISORY
- github.com/openbao/openbao/commit/059cc5950303688335d5c8ab9af8e453795d693aghsaWEB
- github.com/openbao/openbao/pull/2934ghsaWEB
- github.com/openbao/openbao/releases/tag/v2.5.3ghsaWEB
News mentions
0No linked articles in our index yet.