VYPR

rpm package

opensuse/openbao&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/openbao&distro=openSUSE%20Tumbleweed

Vulnerabilities (31)

  • CVE-2026-46405May 28, 2026
    affected < 2.5.4-1.1fixed 2.5.4-1.1

    ### Impact In OpenBao's Kerberos auth method on the `GET` handler, or when an `Authorization: Negotiate` header is supplied, the response is includes a `logical.Auth` object in addition to an error message. This results in tokens being created with only the default policy, defau

  • CVE-2026-46358May 28, 2026
    affected < 2.5.4-1.1fixed 2.5.4-1.1

    ### Impact OpenBao's inline auth functionality incorrectly redacted audit log entries, resulting in non-auth headers being removed and auth-related headers being retained in cleartext. This requires an attacker to compromise access to the audit device. Operators should review le

  • CVE-2026-45808higMay 28, 2026
    affected < 2.5.4-1.1fixed 2.5.4-1.1

    # Impact OpenBao's namespaces provide multi-tenant separation. A tenant who intentionally leaks lease identifiers can have their lease and underlying credential revoked or renewed by a user in another tenant via the legacy, undocumented `sys/revoke` and `sys/renew` endpoints. #

  • CVE-2026-40264LowApr 21, 2026
    affected < 2.5.3-1.1fixed 2.5.3-1.1

    OpenBao is an open source identity-based secrets management system. OpenBao's namespaces provide multi-tenant separation. Prior to version 2.5.3, a tenant who leaks token accessors can have their token revoked or renewed by a privileged administrator in another tenant. This is ad

  • CVE-2026-39946MedApr 21, 2026
    affected < 2.5.3-1.1fixed 2.5.3-1.1

    OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead t

  • CVE-2026-39396LowApr 21, 2026
    affected < 2.5.3-1.1fixed 2.5.3-1.1

    OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, `ExtractPluginFromImage()` in OpenBao's OCI plugin downloader extracts a plugin binary from a container image by streaming decompressed tar data via `io.Copy` with no upper bound on the nu

  • CVE-2026-39388LowApr 21, 2026
    affected < 2.5.3-1.1fixed 2.5.3-1.1

    OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, OpenBao's Certificate authentication method, when a token renewal is requested and `disable_binding=true` is set, attempts to verify the current request's presented mTLS certificate matche

  • CVE-2026-5807HigApr 17, 2026
    affected < 2.5.3-1.1fixed 2.5.3-1.1

    Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows.

  • CVE-2026-3605HigApr 17, 2026
    affected < 2.5.3-1.1fixed 2.5.3-1.1

    An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor

  • CVE-2026-33758Mar 27, 2026
    affected < 2.5.2-1.1fixed 2.5.2-1.1

    OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with `callback_mode=direct` configured are vulnerable to XSS via the `error_description` parameter on

  • CVE-2026-33757Mar 27, 2026
    affected < 2.5.2-1.1fixed 2.5.2-1.1

    OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to start an authentication request and p

  • CVE-2025-68121CriFeb 5, 2026
    affected < 2.5.1-1.1fixed 2.5.1-1.1

    During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and

  • CVE-2026-24051HigFeb 2, 2026
    affected < 2.5.1-1.1fixed 2.5.1-1.1

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system comman

  • CVE-2025-64761Nov 25, 2025
    affected < 2.4.4-1.1fixed 2.4.4-1.1

    OpenBao is an open source identity-based secrets management system. Prior to version 2.4.4, a privileged operator could use the identity group subsystem to add a root policy to a group identity group, escalating their or another user's permissions in the system. Specifically this

  • CVE-2025-62705Oct 22, 2025
    affected < 2.4.3-1.1fixed 2.4.3-1.1

    OpenBao is an open source identity-based secrets management system. Prior to version 2.4.2, OpenBao's audit log did not appropriately redact fields when relevant subsystems sent []byte response parameters rather than strings. This includes, but is not limited to sys/raw with use

  • CVE-2025-62513Oct 22, 2025
    affected < 2.4.3-1.1fixed 2.4.3-1.1

    OpenBao is an open source identity-based secrets management system. In versions 2.2.0 to 2.4.1, OpenBao's audit log experienced a regression wherein raw HTTP bodies used by few endpoints were not correctly redacted (HMAC'd). This impacts those using the ACME functionality of PKI,

  • CVE-2025-6203Aug 28, 2025
    affected < 2.4.1-1.1fixed 2.4.1-1.1

    A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault’s auditing subroutine, potentially resulting in the Vault server

  • CVE-2025-55003Aug 9, 2025
    affected < 2.3.2-1.1fixed 2.3.2-1.1

    OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao's Login Multi-Factor Authentication (MFA) system allows enforcing MFA using Time-based One Time Password (

  • CVE-2025-55000Aug 9, 2025
    affected < 2.3.2-1.1fixed 2.3.2-1.1

    OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caus

  • CVE-2025-54996Aug 9, 2025
    affected < 2.3.2-1.1fixed 2.3.2-1.1

    OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, accounts with access to highly-privileged identity entity systems in root namespaces were able to increase their s

Page 1 of 2