VYPR
← All advisories
Low severity2.1NVD Advisory· Published Jun 19, 2026· Updated Jun 19, 2026

OpenBao: Cross-namespace lease revocation/renewal via canonical sys/leases/{revoke,renew} — incomplete fix of CVE-2026-45808

CVE-2026-55774

Description

Summary

OpenBao users with access to the sys/leases/revoke/:lease_id endpoint in any namespace can revoke leases in any other namespace as long as the lease identifier is known to them, bypassing ACLs that should apply for cross-namespace revocations.

Impact

OpenBao's namespaces provide multi-tenant separation. A tenant who intentionally leaks lease identifiers can have their lease and underlying credential revoked by a user in another tenant.

Patch

This will be fixed in OpenBao v2.5.5.

References

This vulnerability is similar to but distinct from:

  • CVE-2026-45808 / GHSA-v8v8-cm84-m686
  • CVE-2026-40264 / GHSA-p49j-v9wc-wg57

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1

Patches

Vulnerability mechanics

Root cause

"Missing namespace ownership verification in lease routing logic allows a request's context to be re-routed to a different namespace without checking the requesting token's ACLs."

Attack vector

An attacker with access to the `sys/leases/revoke/:lease_id` endpoint in any namespace can revoke leases belonging to any other namespace, provided they know the lease identifier. The original code extracted the namespace ID from the lease ID and re-routed the request context without verifying that the requesting token's ACLs permit cross-namespace access. This bypasses the multi-tenant namespace isolation that OpenBao's namespaces are designed to enforce [ref_id=1].

Affected code

The vulnerability resides in `vault/request_handling.go` in the `handleCancelableRequest` function, specifically in the `sys/leases/` path routing logic. The `vault/expiration.go` `FetchLeaseInfo` and `loadEntry` functions also lacked proper namespace checks. The patch modifies these files and adds comprehensive cross-namespace routing tests in `vault/request_handling_test.go`.

What the fix does

The patch restructures the lease ID extraction logic in `handleCancelableRequest` to properly handle both request-data and path-segment lease IDs, and adds a type assertion (`byData.(string)`) to prevent nil interface values from bypassing the routing code. In `expiration.go`, `FetchLeaseInfo` now checks that the cached lease's namespace matches the request context's namespace, returning `nil` on mismatch instead of leaking lease information. The redundant namespace override in `loadEntry` was removed, ensuring the request context namespace is not silently overwritten by the lease's embedded namespace ID.

Preconditions

  • authThe attacker must have access to the `sys/leases/revoke/:lease_id` endpoint in any namespace
  • inputThe attacker must know the lease identifier of a lease in another namespace
  • configThe target namespace must have a lease that the attacker can identify

Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.