VYPR
High severityGHSA Advisory· Published May 28, 2026· Updated May 28, 2026

OpenBao's cross-namespace lease revocation via legacy sys/revoke path bypasses ACL

CVE-2026-45808

Description

# Impact

OpenBao's namespaces provide multi-tenant separation. A tenant who intentionally leaks lease identifiers can have their lease and underlying credential revoked or renewed by a user in another tenant via the legacy, undocumented sys/revoke and sys/renew endpoints.

# Patch

This will be addressed in v2.5.4.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/openbao/openbaoGo
< 2.5.42.5.4

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.